diff --git a/checklists-ext/fullwaf_checklist.en.json b/checklists-ext/fullwaf_checklist.en.json
index bac7c91c6..338fb17e6 100644
--- a/checklists-ext/fullwaf_checklist.en.json
+++ b/checklists-ext/fullwaf_checklist.en.json
@@ -4831,6 +4831,756 @@
             "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
             "waf": "Reliability"
         },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Follow Metaprompting guardrails for resonsible AI",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Consider Gateway patterns with APIM  or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Enable monitoring for your AOAI instances",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Monitor token usage to prevent service disruptions due to capacity",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "OpenAI",
+            "severity": "Low",
+            "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+            "waf": "Operational Execellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Evaluate usage of Provisioned throughput model ",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Review and implement Azure AI content safety",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Improve latency of the system by limiting token sizes, streaming options",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "OpenAI",
+            "severity": "Low",
+            "text": "Deploy multiple OAI instances across regions",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Azure AI search service tiers should be choosen to have a SLA ",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "OpenAI",
+            "severity": "Low",
+            "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Implement data encryption,  masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Configure private endpoint for AI services to restrict service access within your network",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Use prompt compression tools like LLMLingua or gprtrim",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities,  API keys or OAuth, to prevent unauthorized access.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "OpenAI",
+            "severity": "Low",
+            "text": "Azure AI Services are properly tagged for better management",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "OpenAI",
+            "severity": "Low",
+            "text": "Azure AI Service accounts follows organizational naming conventions",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Diagnostic logs in Azure AI services resources should be enabled",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Key access (local authentication) is recommended to be disabled for security.  After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Review the guidance provided on setting up AI search for Reliability",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Plan and manage AI Search Vector storage",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Evaluate usage of billing models - PAYG vs PTU",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Evaluate the quality of  prompts and applications when switching between model versions",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Evaluate your Azure AI Search results based on different search parameters",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Red team your GenAI applications",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+            "waf": "Operations"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "OpenAI",
+            "severity": "High",
+            "text": "Consider Quota management practices",
+            "waf": "Cost"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "OpenAI",
+            "severity": "Medium",
+            "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+            "waf": "Operations"
+        },
         {
             "arm-service": "Microsoft.CognitiveServices/accounts",
             "checklist": "Cognitive Services Review Checklist",
@@ -25241,7 +25991,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/aoai_checklist.en.json b/checklists/aoai_checklist.en.json
index 2bc9daa20..2fdc3071d 100644
--- a/checklists/aoai_checklist.en.json
+++ b/checklists/aoai_checklist.en.json
@@ -1,921 +1,920 @@
 {
-  "items": [
-    {
-      "category": "Responsible AI",
-      "subcategory": "Metaprompting",
-      "text": "Follow Metaprompting guardrails for resonsible AI",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
-      "id": "AOAI.1",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails"
-    },
-    {
-      "category": "Responsible AI",
-      "subcategory": "Content Safety",
-      "text": "Review and implement Azure AI content safety",
-      "waf": "Operational Excellence",
-       "service": "Azure OpenAI",
-      "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
-      "id": "AOAI.2",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview"
-    },
-    {
-      "category": "Responsible AI",
-      "subcategory": "UX best practice",
-      "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
-      "id": "AOAI.3",
-      "severity": "Medium",
-      "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/"
-    },
-    {
-      "category": "Responsible AI",
-      "subcategory": "Jail break Safety",
-      "text": "Implement Prompt shields and groundedness detection using Content Safety ",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
-      "id": "AOAI.4",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Token Optimization",
-      "text": "Use prompt compression tools like LLMLingua or gprtrim",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
-      "id": "AOAI.5",
-      "severity": "Medium",
-      "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Token Optimization",
-      "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "adfe27be-e297-401a-a352-baaab79b088d",
-      "id": "AOAI.6",
-      "severity": "High",
-      "link": "https://github.com/openai/tiktoken"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Costing Model",
-      "text": "Evaluate usage of billing models - PAYG vs PTU",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
-      "id": "AOAI.7",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Quota Management",
-      "text": "Consider Quota management practices",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
-      "id": "AOAI.8",
-      "severity": "High",
-      "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Load Balancing",
-      "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
-      "id": "AOAI.9",
-      "severity": "Medium",
-      "link": "https://github.com/Azure/aoai-apim/blob/main/README.md"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Load Balancing",
-      "text": "Consider Gateway patterns with APIM  or solutions like AI central for better rate limiting, load balancing, authentication and logging",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
-      "id": "AOAI.10",
-      "severity": "High",
-      "link": "https://github.com/Azure-Samples/AI-Gateway"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Monitoring",
-      "text": "Enable monitoring for your AOAI instances",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
-      "id": "AOAI.11",
-      "severity": "High",
-      "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Alerts",
-      "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
-      "id": "AOAI.12",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Monitoring",
-      "text": "Monitor token usage to prevent service disruptions due to capacity",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
-      "id": "AOAI.13",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Observability",
-      "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
-      "id": "AOAI.14",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Observability",
-      "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
-      "id": "AOAI.15",
-      "severity": "Low",
-      "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Infrastructure Deployment",
-      "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
-      "id": "AOAI.16",
-      "severity": "High",
-      "link": "https://github.com/Azure-Samples/openai-enterprise-iac"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Authentication",
-      "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "4350d092-d234-4292-a752-8537a551c5bf",
-      "id": "AOAI.17",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity"
-    },
-    {
-      "category": "Responsible AI",
-      "subcategory": "Evaluation",
-      "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
-      "waf": "Operational Execellence",
-      "service": "Azure OpenAI",
-      "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
-      "id": "AOAI.18",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Hosting model",
-      "text": "Evaluate usage of Provisioned throughput model ",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "68889535-e327-4897-b31b-67d67be5962a",
-      "id": "AOAI.19",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Throughput definition",
-      "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
-      "id": "AOAI.20",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Latency improvement",
-      "text": "Improve latency of the system by limiting token sizes, streaming options",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
-      "id": "AOAI.21",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Elasticity segregation",
-      "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
-      "id": "AOAI.22",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Benchmarking",
-      "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "5bda4332-4f24-4811-9331-82ba51752694",
-      "id": "AOAI.23",
-      "severity": "High",
-      "link": "https://github.com/Azure/azure-openai-benchmark/"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Elasticity ",
-      "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
-      "id": "AOAI.24",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Model choice",
-      "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
-      "id": "AOAI.25",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Fine tuning",
-      "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
-      "waf": "Performance",
-      "service": "Azure OpenAI",
-      "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
-      "id": "AOAI.26",
-      "severity": "Medium",
-      "link": "https://github.com/Azure/azure-openai-benchmark/"
-    },
-    {
-      "category": "BC and DR",
-      "subcategory": "Multi-region architecture",
-      "text": "Deploy multiple OAI instances across regions",
-      "waf": "Reliability",
-      "service": "Azure OpenAI",
-      "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
-      "id": "AOAI.27",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability"
-    },
-    {
-      "category": "BC and DR",
-      "subcategory": "Load balancing",
-      "text": "Implement retry & healthchecks with Gateway pattern like APIM",
-      "waf": "Reliability",
-      "service": "Azure OpenAI",
-      "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
-      "id": "AOAI.28",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability"
-    },
-    {
-      "category": "BC and DR",
-      "subcategory": "Quotas",
-      "text": "Ensure having adequate quotas of TPM & RPM for the workload",
-      "waf": "Reliability",
-      "service": "Azure OpenAI",
-      "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
-      "id": "AOAI.29",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota"
-    },
-    {
-      "category": "BC and DR",
-      "subcategory": "Load balancing",
-      "text": "Deploy separate fine tuned models across regions if finetuning is employed",
-      "waf": "Reliability",
-      "service": "Azure OpenAI",
-      "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
-      "id": "AOAI.30",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery"
-    },
-    {
-      "category": "BC and DR",
-      "subcategory": "Data Backup and Disaster Recovery",
-      "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
-      "waf": "Reliability",
-      "service": "Azure OpenAI",
-      "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
-      "id": "AOAI.31",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/backup/backup-overview"
-    },
-    {
-      "category": "BC and DR",
-      "subcategory": "SLA considerations",
-      "text": "Azure AI search service tiers should be choosen to have a SLA ",
-      "waf": "Reliability",
-      "service": "Azure OpenAI",
-      "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
-      "id": "AOAI.32",
-      "severity": "High",
-      "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Data Sensitivity",
-      "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
-      "id": "AOAI.33",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/purview/purview"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Encryption at Rest",
-      "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
-      "id": "AOAI.34",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Transit Encryption",
-      "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
-      "id": "AOAI.35",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/search/search-security-overview"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Access Control",
-      "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
-      "id": "AOAI.36",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Data Masking and Redaction",
-      "text": "Implement data encryption,  masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
-      "id": "AOAI.37",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Threat Detection and Monitoring",
-      "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
-      "id": "AOAI.38",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Data Retention and Disposal",
-      "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
-      "id": "AOAI.39",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Data Privacy and Compliance",
-      "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
-      "id": "AOAI.40",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/compliance/"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Employee Awareness and Training",
-      "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
-      "id": "AOAI.41",
-      "severity": "Medium"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Environment segregation",
-      "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
-      "id": "AOAI.42",
-      "severity": "High"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Index Segregation",
-      "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
-      "id": "AOAI.43",
-      "severity": "Medium"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Sensitive Data in Separate Instances",
-      "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
-      "id": "AOAI.44",
-      "severity": "Medium"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Embedding and Vector handling",
-      "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
-      "id": "AOAI.45",
-      "severity": "High"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Access control",
-      "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
-      "id": "AOAI.46",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Network security",
-      "text": "Configure private endpoint for AI services to restrict service access within your network",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
-      "id": "AOAI.47",
-      "severity": "High",
-      "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Network security",
-      "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
-      "id": "AOAI.48",
-      "severity": "High"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Control Network Access",
-      "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
-      "id": "AOAI.49",
-      "severity": "High"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Secure APIs and Endpoints",
-      "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities,  API keys or OAuth, to prevent unauthorized access.",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
-      "id": "AOAI.50",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Implement Strong Authentication",
-      "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
-      "id": "AOAI.51",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Use Network Monitoring",
-      "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
-      "id": "AOAI.52",
-      "severity": "Medium"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Security Audits and Penetration Testing",
-      "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
-      "id": "AOAI.53",
-      "severity": "Medium"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Infrastructure Deployment",
-      "text": "Azure AI Services are properly tagged for better management",
-      "waf": "Operational Excellence",
-      "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
-      "id": "AOAI.54",
-      "service": "Azure OpenAI",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Infrastructure Deployment",
-      "text": "Azure AI Service accounts follows organizational naming conventions",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
-      "id": "AOAI.55",
-      "severity": "Low",
-      "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Diagnostics Logging",
-      "text": "Diagnostic logs in Azure AI services resources should be enabled",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
-      "id": "AOAI.56",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging"
-    },
-    {
-      "category": "Identity and Access Management",
-      "subcategory": "Entra ID based access",
-      "text": "Key access (local authentication) is recommended to be disabled for security.  After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
-      "id": "AOAI.57",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/authentication"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Secure Key Management",
-      "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
-      "id": "AOAI.58",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Key Rotation and Expiration",
-      "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
-      "id": "AOAI.59",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Secure coding practice",
-      "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
-      "id": "AOAI.60",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Patching and updates",
-      "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
-      "id": "AOAI.61",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops"
-    },
-    {
-      "category": "Responsible AI",
-      "subcategory": "Governance",
-      "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "e29711b1-352b-4eee-879b-588defc4972c",
-      "id": "AOAI.62",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Cost familiarization",
-      "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
-      "id": "AOAI.63",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Batch processing",
-      "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
-      "id": "AOAI.64",
-      "severity": "High",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Cost monitoring",
-      "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
-      "id": "AOAI.65",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs"
-    },
-    {
-      "category": "Cost Optimization",
-      "subcategory": "Token limit",
-      "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
-      "waf": "Cost Optimization",
-      "service": "Azure OpenAI",
-      "guid": "166cd072-af9b-4141-a898-a535e737897e",
-      "id": "AOAI.66",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "AI Search Reliability",
-      "text": "Review the guidance provided on setting up AI search for Reliability",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
-      "id": "AOAI.67",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/search/search-reliability"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "AI Search Vector Limits",
-      "text": "Plan and manage AI Search Vector storage",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
-      "id": "AOAI.68",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "DevOps",
-      "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
-      "id": "AOAI.69",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "DevOps",
-      "text": "Evaluate the quality of  prompts and applications when switching between model versions",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
-      "id": "AOAI.70",
-      "severity": "Medium",
-      "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Development",
-      "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "3418db61-2712-4650-9bb4-7a393a080327",
-      "id": "AOAI.71",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Development",
-      "text": "Evaluate your Azure AI Search results based on different search parameters",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "294798b1-578b-4219-a46c-eb5443513592",
-      "id": "AOAI.72",
-      "severity": "Medium"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Development",
-      "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "2744293b-b628-4537-a551-19b08e8f5854",
-      "id": "AOAI.73",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "Development",
-      "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
-      "id": "AOAI.74",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions"
-    },
-    {
-      "category": "Governance and Security",
-      "subcategory": "Security Audits and Penetration Testing",
-      "text": "Red team your GenAI applications",
-      "waf": "Security",
-      "service": "Azure OpenAI",
-      "guid": "e737897e-71ca-47da-acfa-962a1594946d",
-      "id": "AOAI.75",
-      "severity": "Medium",
-      "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming"
-    },
-    {
-      "category": "Operations Management",
-      "subcategory": "End user feedback",
-      "text": "Provide end users with scoring options for LLM responses and track these scores. ",
-      "waf": "Operational Excellence",
-      "service": "Azure OpenAI",
-      "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
-      "id": "AOAI.76",
-      "severity": "Medium",
-      "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/"
+    "items": [
+        {
+            "category": "Responsible AI",
+            "subcategory": "Metaprompting",
+            "text": "Follow Metaprompting guardrails for resonsible AI",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "id": "AOAI.1",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Load Balancing",
+            "text": "Consider Gateway patterns with APIM  or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "id": "AOAI.10",
+            "severity": "High",
+            "link": "https://github.com/Azure-Samples/AI-Gateway"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Monitoring",
+            "text": "Enable monitoring for your AOAI instances",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "id": "AOAI.11",
+            "severity": "High",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Alerts",
+            "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "id": "AOAI.12",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Monitoring",
+            "text": "Monitor token usage to prevent service disruptions due to capacity",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "id": "AOAI.13",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Observability",
+            "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "id": "AOAI.14",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Observability",
+            "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "id": "AOAI.15",
+            "severity": "Low",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Infrastructure Deployment",
+            "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "id": "AOAI.16",
+            "severity": "High",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Authentication",
+            "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "id": "AOAI.17",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity"
+        },
+        {
+            "category": "Responsible AI",
+            "subcategory": "Evaluation",
+            "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+            "waf": "Operational Execellence",
+            "service": "Azure OpenAI",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "id": "AOAI.18",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Hosting model",
+            "text": "Evaluate usage of Provisioned throughput model ",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "id": "AOAI.19",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency"
+        },
+        {
+            "category": "Responsible AI",
+            "subcategory": "Content Safety",
+            "text": "Review and implement Azure AI content safety",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "id": "AOAI.2",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Throughput definition",
+            "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "id": "AOAI.20",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Latency improvement",
+            "text": "Improve latency of the system by limiting token sizes, streaming options",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "id": "AOAI.21",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Elasticity segregation",
+            "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "id": "AOAI.22",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Benchmarking",
+            "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "id": "AOAI.23",
+            "severity": "High",
+            "link": "https://github.com/Azure/azure-openai-benchmark/"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Elasticity ",
+            "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "id": "AOAI.24",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Model choice",
+            "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "id": "AOAI.25",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Fine tuning",
+            "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+            "waf": "Performance",
+            "service": "Azure OpenAI",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "id": "AOAI.26",
+            "severity": "Medium",
+            "link": "https://github.com/Azure/azure-openai-benchmark/"
+        },
+        {
+            "category": "BC and DR",
+            "subcategory": "Multi-region architecture",
+            "text": "Deploy multiple OAI instances across regions",
+            "waf": "Reliability",
+            "service": "Azure OpenAI",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "id": "AOAI.27",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability"
+        },
+        {
+            "category": "BC and DR",
+            "subcategory": "Load balancing",
+            "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+            "waf": "Reliability",
+            "service": "Azure OpenAI",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "id": "AOAI.28",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability"
+        },
+        {
+            "category": "BC and DR",
+            "subcategory": "Quotas",
+            "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+            "waf": "Reliability",
+            "service": "Azure OpenAI",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "id": "AOAI.29",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota"
+        },
+        {
+            "category": "Responsible AI",
+            "subcategory": "UX best practice",
+            "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "id": "AOAI.3",
+            "severity": "Medium",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/"
+        },
+        {
+            "category": "BC and DR",
+            "subcategory": "Load balancing",
+            "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+            "waf": "Reliability",
+            "service": "Azure OpenAI",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "id": "AOAI.30",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery"
+        },
+        {
+            "category": "BC and DR",
+            "subcategory": "Data Backup and Disaster Recovery",
+            "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+            "waf": "Reliability",
+            "service": "Azure OpenAI",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "id": "AOAI.31",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview"
+        },
+        {
+            "category": "BC and DR",
+            "subcategory": "SLA considerations",
+            "text": "Azure AI search service tiers should be choosen to have a SLA ",
+            "waf": "Reliability",
+            "service": "Azure OpenAI",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "id": "AOAI.32",
+            "severity": "High",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Data Sensitivity",
+            "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "id": "AOAI.33",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/purview/purview"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Encryption at Rest",
+            "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "id": "AOAI.34",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Transit Encryption",
+            "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "id": "AOAI.35",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Access Control",
+            "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "id": "AOAI.36",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Data Masking and Redaction",
+            "text": "Implement data encryption,  masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "id": "AOAI.37",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Threat Detection and Monitoring",
+            "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "id": "AOAI.38",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Data Retention and Disposal",
+            "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "id": "AOAI.39",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791"
+        },
+        {
+            "category": "Responsible AI",
+            "subcategory": "Jail break Safety",
+            "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "id": "AOAI.4",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Data Privacy and Compliance",
+            "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "id": "AOAI.40",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/compliance/"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Employee Awareness and Training",
+            "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "id": "AOAI.41",
+            "severity": "Medium"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Environment segregation",
+            "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "id": "AOAI.42",
+            "severity": "High"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Index Segregation",
+            "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "id": "AOAI.43",
+            "severity": "Medium"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Sensitive Data in Separate Instances",
+            "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "id": "AOAI.44",
+            "severity": "Medium"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Embedding and Vector handling",
+            "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "id": "AOAI.45",
+            "severity": "High"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Access control",
+            "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "id": "AOAI.46",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Network security",
+            "text": "Configure private endpoint for AI services to restrict service access within your network",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "id": "AOAI.47",
+            "severity": "High",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Network security",
+            "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "id": "AOAI.48",
+            "severity": "High"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Control Network Access",
+            "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "id": "AOAI.49",
+            "severity": "High"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Token Optimization",
+            "text": "Use prompt compression tools like LLMLingua or gprtrim",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "id": "AOAI.5",
+            "severity": "Medium",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Secure APIs and Endpoints",
+            "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities,  API keys or OAuth, to prevent unauthorized access.",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "id": "AOAI.50",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Implement Strong Authentication",
+            "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "id": "AOAI.51",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Use Network Monitoring",
+            "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "id": "AOAI.52",
+            "severity": "Medium"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Security Audits and Penetration Testing",
+            "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "id": "AOAI.53",
+            "severity": "Medium"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Infrastructure Deployment",
+            "text": "Azure AI Services are properly tagged for better management",
+            "waf": "Operational Excellence",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "id": "AOAI.54",
+            "service": "Azure OpenAI",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Infrastructure Deployment",
+            "text": "Azure AI Service accounts follows organizational naming conventions",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "id": "AOAI.55",
+            "severity": "Low",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Diagnostics Logging",
+            "text": "Diagnostic logs in Azure AI services resources should be enabled",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "id": "AOAI.56",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging"
+        },
+        {
+            "category": "Identity and Access Management",
+            "subcategory": "Entra ID based access",
+            "text": "Key access (local authentication) is recommended to be disabled for security.  After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "id": "AOAI.57",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Secure Key Management",
+            "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "id": "AOAI.58",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Key Rotation and Expiration",
+            "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "id": "AOAI.59",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Token Optimization",
+            "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "id": "AOAI.6",
+            "severity": "High",
+            "link": "https://github.com/openai/tiktoken"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Secure coding practice",
+            "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "id": "AOAI.60",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Patching and updates",
+            "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "id": "AOAI.61",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops"
+        },
+        {
+            "category": "Responsible AI",
+            "subcategory": "Governance",
+            "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "id": "AOAI.62",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Cost familiarization",
+            "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "id": "AOAI.63",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Batch processing",
+            "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "id": "AOAI.64",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Cost monitoring",
+            "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "id": "AOAI.65",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Token limit",
+            "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "id": "AOAI.66",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "AI Search Reliability",
+            "text": "Review the guidance provided on setting up AI search for Reliability",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "id": "AOAI.67",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "AI Search Vector Limits",
+            "text": "Plan and manage AI Search Vector storage",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "id": "AOAI.68",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "DevOps",
+            "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "id": "AOAI.69",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Costing Model",
+            "text": "Evaluate usage of billing models - PAYG vs PTU",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "id": "AOAI.7",
+            "severity": "High",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "DevOps",
+            "text": "Evaluate the quality of  prompts and applications when switching between model versions",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "id": "AOAI.70",
+            "severity": "Medium",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Development",
+            "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, \ufffd",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "id": "AOAI.71",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Development",
+            "text": "Evaluate your Azure AI Search results based on different search parameters",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "id": "AOAI.72",
+            "severity": "Medium"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Development",
+            "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "id": "AOAI.73",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Development",
+            "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "id": "AOAI.74",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions"
+        },
+        {
+            "category": "Governance and Security",
+            "subcategory": "Security Audits and Penetration Testing",
+            "text": "Red team your GenAI applications",
+            "waf": "Security",
+            "service": "Azure OpenAI",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "id": "AOAI.75",
+            "severity": "Medium",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "End user feedback",
+            "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "id": "AOAI.76",
+            "severity": "Medium",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/"
+        },
+        {
+            "category": "Cost Optimization",
+            "subcategory": "Quota Management",
+            "text": "Consider Quota management practices",
+            "waf": "Cost Optimization",
+            "service": "Azure OpenAI",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "id": "AOAI.8",
+            "severity": "High",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268"
+        },
+        {
+            "category": "Operations Management",
+            "subcategory": "Load Balancing",
+            "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+            "waf": "Operational Excellence",
+            "service": "Azure OpenAI",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "id": "AOAI.9",
+            "severity": "Medium",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md"
+        }
+    ],
+    "categories": [
+        {
+            "name": "Identity and Access Management"
+        },
+        {
+            "name": "Network Topology and Connectivity"
+        },
+        {
+            "name": "BC and DR"
+        },
+        {
+            "name": "Governance and Security"
+        },
+        {
+            "name": "Cost Governance"
+        },
+        {
+            "name": "Operations Management"
+        },
+        {
+            "name": "Application Deployment"
+        },
+        {
+            "name": "Responsible AI"
+        }
+    ],
+    "waf": [
+        {
+            "name": "Reliability"
+        },
+        {
+            "name": "Security"
+        },
+        {
+            "name": "Cost"
+        },
+        {
+            "name": "Operations"
+        },
+        {
+            "name": "Performance"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "Yes"
+        },
+        {
+            "name": "No"
+        }
+    ],
+    "status": [
+        {
+            "name": "Not verified",
+            "description": "This check has not been looked at yet"
+        },
+        {
+            "name": "Open",
+            "description": "There is an action item associated to this check"
+        },
+        {
+            "name": "Fulfilled",
+            "description": "This check has been verified, and there are no further action items associated to it"
+        },
+        {
+            "name": "Not required",
+            "description": "Recommendation understood, but not needed by current requirements"
+        },
+        {
+            "name": "N/A",
+            "description": "Not applicable for current design"
+        }
+    ],
+    "severities": [
+        {
+            "name": "High"
+        },
+        {
+            "name": "Medium"
+        },
+        {
+            "name": "Low"
+        }
+    ],
+    "metadata": {
+        "name": "Azure OpenAI Review",
+        "state": "Preview",
+        "waf": "all",
+        "timestamp": "July 23, 2024"
     }
-  ],
-  "categories": [
-    {
-      "name": "Identity and Access Management"
-    },
-    {
-      "name": "Network Topology and Connectivity"
-    },
-    {
-      "name": "BC and DR"
-    },
-    {
-      "name": "Governance and Security"
-    },
-    {
-      "name": "Cost Governance"
-    },
-    {
-      "name": "Operations Management"
-    },
-    {
-      "name": "Application Deployment"
-    },
-    {
-      "name": "Responsible AI"
-    }
-  ],
-  "waf": [
-    {
-      "name": "Reliability"
-    },
-    {
-      "name": "Security"
-    },
-    {
-      "name": "Cost"
-    },
-    {
-      "name": "Operations"
-    },
-    {
-      "name": "Performance"
-    }
-  ],
-  "yesno": [
-    {
-      "name": "Yes"
-    },
-    {
-      "name": "No"
-    }
-  ],
-  "status": [
-    {
-      "name": "Not verified",
-      "description": "This check has not been looked at yet"
-    },
-    {
-      "name": "Open",
-      "description": "There is an action item associated to this check"
-    },
-    {
-      "name": "Fulfilled",
-      "description": "This check has been verified, and there are no further action items associated to it"
-    },
-    {
-      "name": "Not required",
-      "description": "Recommendation understood, but not needed by current requirements"
-    },
-    {
-      "name": "N/A",
-      "description": "Not applicable for current design"
-    }
-  ],
-  "severities": [
-    {
-      "name": "High"
-    },
-    {
-      "name": "Medium"
-    },
-    {
-      "name": "Low"
-    }
-  ],
-  "metadata": {
-    "name": "Azure OpenAI Review",
-    "state": "Preview",
-    "waf": "all",
-    "timestamp": "07/22/2024 11:25:56"
-  }
-}
-
+}
\ No newline at end of file
diff --git a/checklists/aoai_checklist.es.json b/checklists/aoai_checklist.es.json
new file mode 100644
index 000000000..08bdc0ebb
--- /dev/null
+++ b/checklists/aoai_checklist.es.json
@@ -0,0 +1,920 @@
+{
+    "categories": [
+        {
+            "name": "Gestión de identidades y accesos"
+        },
+        {
+            "name": "Topología de red y conectividad"
+        },
+        {
+            "name": "BC y RD"
+        },
+        {
+            "name": "Gobernanza y seguridad"
+        },
+        {
+            "name": "Gobernanza de costos"
+        },
+        {
+            "name": "Gestión de Operaciones"
+        },
+        {
+            "name": "Implementación de aplicaciones"
+        },
+        {
+            "name": "IA responsable"
+        }
+    ],
+    "items": [
+        {
+            "category": "IA responsable",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "id": "AOAI.1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Metaprompting (Metaincitación)",
+            "text": "Siga las barreras de seguridad de Metaprompting para una IA responsable",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "id": "AOAI.10",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Equilibrio de carga",
+            "text": "Considere la posibilidad de crear patrones de puerta de enlace con APIM o soluciones como AI Central para mejorar la limitación de velocidad, el equilibrio de carga, la autenticación y el registro",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "id": "AOAI.11",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Monitorización",
+            "text": "Habilitación de la supervisión para las instancias de AOAI",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "id": "AOAI.12",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Alertas",
+            "text": "Cree alertas para notificar a los equipos de eventos, como una entrada en el registro de actividad creada por una acción realizada en el recurso, como la regeneración de sus claves de suscripción, o un umbral de métrica, como el número de errores que superan los 10 en una hora",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "id": "AOAI.13",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Monitorización",
+            "text": "Supervise el uso de tokens para evitar interrupciones del servicio debido a la capacidad",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "id": "AOAI.14",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Observancia",
+            "text": "Observe métricas como tokens de inferencia procesados, tokens de finalización generados, monitoree el límite de velocidad",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "id": "AOAI.15",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "subcategory": "Observancia",
+            "text": "Si los diagnósticos no son suficientes para usted, considere la posibilidad de usar una puerta de enlace como Azure API Managements frente a Azure OpenAI para registrar tanto los mensajes entrantes como las respuestas salientes, cuando esté permitido",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "id": "AOAI.16",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Despliegue de infraestructura",
+            "text": "Use la infraestructura como código para implementar el servicio Azure OpenAI, las implementaciones de modelos y todos los recursos relacionados",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "id": "AOAI.17",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Autenticación",
+            "text": "Uso de la autenticación de Microsoft Entra con identidad administrada en lugar de clave de API",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "IA responsable",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "id": "AOAI.18",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Evaluación",
+            "text": "Evalúe el rendimiento/precisión del sistema con un conjunto de datos dorado conocido que tenga las entradas y las respuestas correctas. Aproveche las capacidades de PromptFlow para la evaluación.",
+            "waf": "Excelencia Operativa"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "id": "AOAI.19",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Modelo de alojamiento",
+            "text": "Evaluación del uso del modelo de rendimiento aprovisionado ",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "IA responsable",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "id": "AOAI.2",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Seguridad del contenido",
+            "text": "Revisión e implementación de la seguridad del contenido de Azure AI",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "id": "AOAI.20",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Definición de rendimiento",
+            "text": "Defina y evalúe el rendimiento del sistema en función de los tokens y la respuesta por minuto y alinee con los requisitos",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "id": "AOAI.21",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Mejora de la latencia",
+            "text": "Mejore la latencia del sistema limitando el tamaño de los tokens, las opciones de transmisión",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "id": "AOAI.22",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Segregación por elasticidad",
+            "text": "Calcule las demandas de elasticidad para determinar la segregación de solicitudes sincrónicas y por lotes en función de la prioridad. Para la prioridad alta, utilice el enfoque sincrónico y para la prioridad baja, se prefiere el procesamiento por lotes asincrónico con cola",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "id": "AOAI.23",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Evaluación comparativa",
+            "text": "Compare los requisitos de consumo de tokens en función de las demandas estimadas de los consumidores. Considere la posibilidad de usar la herramienta de pruebas comparativas de Azure OpenAI para ayudarle a validar el rendimiento si usa implementaciones de unidades de rendimiento aprovisionadas",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "id": "AOAI.24",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Elasticidad ",
+            "text": "Si usa unidades de rendimiento aprovisionadas (PTU), considere la posibilidad de implementar una implementación de token por minuto (TPM) para las solicitudes de desbordamiento. Use una puerta de enlace para enrutar las solicitudes a la implementación de TPM cuando se alcancen los límites de PTU.",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "id": "AOAI.25",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Elección del modelo",
+            "text": "Elija el modelo adecuado para la tarea correcta. Elija modelos con el equilibrio adecuado entre velocidad, calidad de respuesta y complejidad de salida",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "id": "AOAI.26",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Puesta a punto",
+            "text": "Tener una línea de base para el rendimiento sin ajuste fino para saber si el ajuste fino ha mejorado o no el rendimiento del modelo",
+            "waf": "Rendimiento"
+        },
+        {
+            "category": "BC y RD",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "id": "AOAI.27",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "subcategory": "Arquitectura multirregional",
+            "text": "Implementación de varias instancias de OAI en todas las regiones",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "BC y RD",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "id": "AOAI.28",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Equilibrio de carga",
+            "text": "Implemente reintentos y comprobaciones de estado con el patrón de puerta de enlace como APIM",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "BC y RD",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "id": "AOAI.29",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Cuotas",
+            "text": "Asegúrese de tener cuotas adecuadas de TPM y RPM para la carga de trabajo",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "IA responsable",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "id": "AOAI.3",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Mejores prácticas de UX",
+            "text": "Revise las consideraciones de la guía del kit de herramientas de HAI y aplique esas prácticas de interacción para el slution",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "BC y RD",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "id": "AOAI.30",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Equilibrio de carga",
+            "text": "Implemente modelos de ajuste de precisión independientes en todas las regiones si se emplea el ajuste de precisión",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "BC y RD",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "id": "AOAI.31",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Copia de seguridad de datos y recuperación ante desastres",
+            "text": "Realice copias de seguridad y replique regularmente los datos críticos para garantizar la disponibilidad y la capacidad de recuperación de los datos en caso de pérdida de datos o fallos del sistema. Aproveche los servicios de copia de seguridad y recuperación ante desastres de Azure para proteger sus datos.",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "BC y RD",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "id": "AOAI.32",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Consideraciones sobre el SLA",
+            "text": "Los niveles de servicio de búsqueda de Azure AI deben elegirse para tener un Acuerdo de Nivel de Servicio ",
+            "waf": "Fiabilidad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "id": "AOAI.33",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "subcategory": "Confidencialidad de los datos",
+            "text": "Clasifique los datos y la confidencialidad, etiquetando con Microsoft Purview antes de generar las incrustaciones y asegúrese de tratar las incrustaciones generadas con la misma confidencialidad y clasificación",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "id": "AOAI.34",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Cifrado en reposo",
+            "text": "Cifre los datos utilizados para RAG con cifrado SSE/Disk con BYOK opcional",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "id": "AOAI.35",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Encriptación de tránsito",
+            "text": "Asegúrese de que TLS se aplica a los datos en tránsito a través de fuentes de datos, la búsqueda de IA utilizada para la generación aumentada de recuperación (RAG) y la comunicación de LLM",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "id": "AOAI.36",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Control de acceso",
+            "text": "Use RBAC para administrar el acceso a los servicios de Azure OpenAI. Asigne los permisos adecuados a los usuarios y restrinja el acceso en función de sus funciones y responsabilidades",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "id": "AOAI.37",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Enmascaramiento y redacción de datos",
+            "text": "Implemente técnicas de cifrado, enmascaramiento o redacción de datos para ocultar datos confidenciales o reemplazarlos con valores ofuscados en entornos que no sean de producción o al compartir datos con fines de prueba o solución de problemas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "id": "AOAI.38",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Detección y monitoreo de amenazas",
+            "text": "Use Azure Defender para detectar y responder a las amenazas de seguridad y configurar mecanismos de supervisión y alerta para identificar actividades sospechosas o infracciones. Aproveche Azure Sentinel para la detección y respuesta a amenazas avanzadas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "id": "AOAI.39",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Retención y eliminación de datos",
+            "text": "Establezca políticas de retención y eliminación de datos para cumplir con las regulaciones de cumplimiento. Implemente métodos de eliminación seguros para los datos que ya no son necesarios y mantenga un registro de auditoría de las actividades de retención y eliminación de datos",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "IA responsable",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "id": "AOAI.4",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Seguridad en la fuga de la cárcel",
+            "text": "Implemente los escudos de aviso y la detección de conexión a tierra mediante Content Safety ",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "id": "AOAI.40",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Privacidad de datos y cumplimiento",
+            "text": "Garantice el cumplimiento de las normativas de protección de datos pertinentes, como el RGPD o la HIPAA, mediante la implementación de controles de privacidad y la obtención de los consentimientos o permisos necesarios para las actividades de tratamiento de datos.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "id": "AOAI.41",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Concienciación y formación de los empleados",
+            "text": "Eduque a sus empleados sobre las mejores prácticas de seguridad de datos, la importancia de manejar los datos de forma segura y los riesgos potenciales asociados con las violaciones de datos. Anímelos a seguir diligentemente los protocolos de seguridad de datos.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "id": "AOAI.42",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Segregación del medio ambiente",
+            "text": "Mantenga los datos de producción separados de los datos de desarrollo y pruebas. Utilice únicamente datos confidenciales reales en producción y utilice datos anónimos o sintéticos en entornos de desarrollo y prueba.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "id": "AOAI.43",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Segregación de índices",
+            "text": "Si tiene distintos niveles de confidencialidad de datos, considere la posibilidad de crear índices independientes para cada nivel. Por ejemplo, podría tener un índice para los datos generales y otro para los datos confidenciales, cada uno gobernado por diferentes protocolos de acceso",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "id": "AOAI.44",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Datos confidenciales en instancias separadas",
+            "text": "Lleve la segregación un paso más allá colocando conjuntos de datos confidenciales en diferentes instancias del servicio. Cada instancia se puede controlar con su propio conjunto específico de políticas RBAC",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "id": "AOAI.45",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Incrustación y manejo de vectores",
+            "text": "Reconozca que las incrustaciones y los vectores generados a partir de información confidencial son en sí mismos confidenciales. Estos datos deben recibir las mismas medidas de protección que el material de origen",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "id": "AOAI.46",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Control de acceso",
+            "text": "Aplique RBAC a los almacenes de datos que tienen incrustaciones y vectores y alcance el acceso en función de los requisitos de acceso del rol",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "id": "AOAI.47",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Seguridad de la red",
+            "text": "Configure un punto de conexión privado para que los servicios de IA restrinjan el acceso al servicio dentro de su red",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "id": "AOAI.48",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Seguridad de la red",
+            "text": "Aplique un estricto control del tráfico entrante y saliente con Azure Firewall y UDR, y limite los puntos de integración externos",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "id": "AOAI.49",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Controlar el acceso a la red",
+            "text": "Implemente la segmentación de la red y los controles de acceso para restringir el acceso a la aplicación LLM solo a los usuarios y sistemas autorizados y evitar el movimiento lateral",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "id": "AOAI.5",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Optimización de tokens",
+            "text": "Utilice herramientas de compresión rápida como LLMLingua o gprtrim",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "id": "AOAI.50",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "API y endpoints seguros",
+            "text": "Asegúrese de que las API y los puntos finales utilizados por la aplicación LLM estén correctamente protegidos con mecanismos de autenticación y autorización, como identidades administradas, claves de API u OAuth, para evitar el acceso no autorizado.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "id": "AOAI.51",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Implementación de una autenticación sólida",
+            "text": "Aplique mecanismos sólidos de autenticación de usuario final, como la autenticación multifactor, para evitar el acceso no autorizado a la aplicación LLM y a los recursos de red asociados",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "id": "AOAI.52",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Uso de la supervisión de red",
+            "text": "Implemente herramientas de monitoreo de red para detectar y analizar el tráfico de red en busca de actividades sospechosas o maliciosas. Habilite el registro para capturar eventos de red y facilitar el análisis forense en caso de incidentes de seguridad",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "id": "AOAI.53",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Auditorías de seguridad y pruebas de penetración",
+            "text": "Realizar auditorías de seguridad y pruebas de penetración para identificar y abordar cualquier debilidad o vulnerabilidad de seguridad de red en la infraestructura de red de la aplicación LLM",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "id": "AOAI.54",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "subcategory": "Despliegue de infraestructura",
+            "text": "Los servicios de Azure AI están etiquetados correctamente para una mejor administración",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "id": "AOAI.55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "subcategory": "Despliegue de infraestructura",
+            "text": "Las cuentas de Azure AI Service siguen las convenciones de nomenclatura de la organización",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "id": "AOAI.56",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Registro de diagnósticos",
+            "text": "Los registros de diagnóstico en los recursos de servicios de Azure AI deben estar habilitados",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de identidades y accesos",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "id": "AOAI.57",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Acceso basado en ID de Entra",
+            "text": "Se recomienda deshabilitar el acceso a claves (autenticación local) por seguridad.  Después de deshabilitar el acceso basado en claves, el identificador de Microsoft Entra se convierte en el único método de acceso, lo que permite mantener el principio de privilegio mínimo y el control granular. ",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "id": "AOAI.58",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Gestión segura de claves",
+            "text": "Almacene y administre claves de forma segura con Azure Key Vault. Evite codificar de forma rígida o incrustar claves confidenciales en el código de la aplicación de LLM y recupérelas de forma segura de Azure Key Vault mediante identidades administradas",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "id": "AOAI.59",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Rotación y caducidad de claves",
+            "text": "Rotar y expirar periódicamente las claves almacenadas en Azure Key Vault para minimizar el riesgo de acceso no autorizado.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "id": "AOAI.6",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Optimización de tokens",
+            "text": "Use tiktoken para comprender los tamaños de los tokens para las optimizaciones de tokens en el modo conversacional",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "id": "AOAI.60",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Práctica de codificación segura",
+            "text": "Siga prácticas de codificación seguras para evitar vulnerabilidades comunes, como ataques de inyección, secuencias de comandos entre sitios (XSS) o errores de configuración de seguridad.",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "id": "AOAI.61",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Aplicación de parches y actualizaciones",
+            "text": "Configurar un proceso para actualizar y parchear regularmente las bibliotecas de LLM y otros componentes del sistema",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "IA responsable",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "id": "AOAI.62",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Gobernanza",
+            "text": "Cumplir con los términos de uso, las directivas y las directrices de Azure OpenAI u otros LLM, así como con los casos de uso permitidos.",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "id": "AOAI.63",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Familiarización con los costos",
+            "text": "Comprenda la diferencia en el costo de los modelos base y los modelos ajustados y los tamaños de paso de token",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "id": "AOAI.64",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Procesamiento por lotes",
+            "text": "Solicitudes por lotes, siempre que sea posible, para minimizar la sobrecarga por llamada, lo que puede reducir los costos generales. Asegúrese de optimizar el tamaño del lote",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "id": "AOAI.65",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Seguimiento de costes",
+            "text": "Configure un sistema de seguimiento de costos que supervise el uso del modelo y use esa información para ayudar a informar las opciones de modelos y los tamaños indicados",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "id": "AOAI.66",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Límite de tokens",
+            "text": "Establezca un límite máximo en el número de tokens por respuesta de modelo. Optimice el tamaño para asegurarse de que sea lo suficientemente grande para una respuesta válida",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "id": "AOAI.67",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Fiabilidad de la búsqueda con IA",
+            "text": "Revise las instrucciones proporcionadas sobre la configuración de la búsqueda de IA para la confiabilidad",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "id": "AOAI.68",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Límites del vector de búsqueda de IA",
+            "text": "Planifique y administre el almacenamiento de vectores de búsqueda de IA",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "id": "AOAI.69",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "DevOps (Operaciones de desarrollo)",
+            "text": "Aplique prácticas de LLMOps para automatizar la gestión del ciclo de vida de sus aplicaciones GenAI",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "id": "AOAI.7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Modelo de cálculo de costes",
+            "text": "Evalúe el uso de los modelos de facturación: PAYG frente a PTU",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "id": "AOAI.70",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "DevOps (Operaciones de desarrollo)",
+            "text": "Evalúe la calidad de los mensajes y las aplicaciones al cambiar entre versiones de modelo",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "id": "AOAI.71",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Desarrollo",
+            "text": "Evalúe, supervise y perfeccione sus aplicaciones GenAI para características como la fundamentación, la relevancia, la precisión, la coherencia, la fluidez,",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "id": "AOAI.72",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Desarrollo",
+            "text": "Evalúe los resultados de búsqueda de Azure AI en función de diferentes parámetros de búsqueda",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "id": "AOAI.73",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Desarrollo",
+            "text": "Considere los modelos de ajuste fino como una forma de aumentar la precisión solo cuando haya probado otros enfoques básicos como la ingeniería de avisos y RAG con sus datos",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "id": "AOAI.74",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Desarrollo",
+            "text": "Utilice técnicas de ingeniería rápida para mejorar la precisión de las respuestas de LLM",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Gobernanza y seguridad",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "id": "AOAI.75",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Auditorías de seguridad y pruebas de penetración",
+            "text": "Equipo rojo con sus aplicaciones GenAI",
+            "waf": "Seguridad"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "id": "AOAI.76",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Comentarios de los usuarios finales",
+            "text": "Proporcione a los usuarios finales opciones de puntuación para las respuestas de LLM y realice un seguimiento de estas puntuaciones. ",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "category": "Optimización de costes",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "id": "AOAI.8",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Gestión de cuotas",
+            "text": "Considere las prácticas de administración de cuotas",
+            "waf": "Optimización de costes"
+        },
+        {
+            "category": "Gestión de Operaciones",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "id": "AOAI.9",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "subcategory": "Equilibrio de carga",
+            "text": "Utilice soluciones de equilibrador de carga, como la puerta de enlace basada en APIM, para equilibrar la carga y la capacidad entre servicios y regiones",
+            "waf": "Excelencia Operacional"
+        }
+    ],
+    "metadata": {
+        "name": "Azure OpenAI Review",
+        "state": "Preview",
+        "timestamp": "July 23, 2024",
+        "waf": "all"
+    },
+    "severities": [
+        {
+            "name": "Alto"
+        },
+        {
+            "name": "Medio"
+        },
+        {
+            "name": "Bajo"
+        }
+    ],
+    "status": [
+        {
+            "description": "Este control aún no se ha examinado",
+            "name": "No verificado"
+        },
+        {
+            "description": "Hay un elemento de acción asociado a esta comprobación",
+            "name": "Abrir"
+        },
+        {
+            "description": "Esta comprobación se ha verificado y no hay más elementos de acción asociados a ella",
+            "name": "Cumplido"
+        },
+        {
+            "description": "Recomendación entendida, pero no necesaria por los requisitos actuales",
+            "name": "No es necesario"
+        },
+        {
+            "description": "No aplicable para el diseño actual",
+            "name": "N/A"
+        }
+    ],
+    "waf": [
+        {
+            "name": "Fiabilidad"
+        },
+        {
+            "name": "Seguridad"
+        },
+        {
+            "name": "Costar"
+        },
+        {
+            "name": "Operaciones"
+        },
+        {
+            "name": "Rendimiento"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "Sí"
+        },
+        {
+            "name": "No"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/aoai_checklist.ja.json b/checklists/aoai_checklist.ja.json
new file mode 100644
index 000000000..af0251903
--- /dev/null
+++ b/checklists/aoai_checklist.ja.json
@@ -0,0 +1,920 @@
+{
+    "categories": [
+        {
+            "name": "ID およびアクセス管理"
+        },
+        {
+            "name": "ネットワーク トポロジと接続性"
+        },
+        {
+            "name": "BC と DR"
+        },
+        {
+            "name": "ガバナンスとセキュリティ"
+        },
+        {
+            "name": "コストガバナンス"
+        },
+        {
+            "name": "オペレーションマネジメント"
+        },
+        {
+            "name": "アプリケーションのデプロイメント"
+        },
+        {
+            "name": "責任あるAI"
+        }
+    ],
+    "items": [
+        {
+            "category": "責任あるAI",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "id": "AOAI.1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "メタプロンプティング",
+            "text": "共鳴可能なAIのためのメタプロンプトガードレールに従う",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "id": "AOAI.10",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ロードバランシング",
+            "text": "APIM や AI Central などのソリューションを使用したゲートウェイ パターンを検討して、レート制限、負荷分散、認証、ログ記録を改善します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "id": "AOAI.11",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "モニタリング",
+            "text": "AOAI インスタンスの監視を有効にする",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "id": "AOAI.12",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "アラート",
+            "text": "リソースに対して実行されたアクション (サブスクリプション キーの再生成など) によって作成されたアクティビティ ログのエントリや、1 時間に 10 を超えるエラー数などのメトリックしきい値によって作成されたアクティビティ ログのエントリなど、イベントを通知するアラートを作成します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "id": "AOAI.13",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "モニタリング",
+            "text": "トークンの使用状況を監視して、容量によるサービスの中断を防ぎます",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "id": "AOAI.14",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "オブザーバビリティ",
+            "text": "処理された推論トークン、生成された完了トークンなどのメトリックを観察し、レート制限を監視します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "id": "AOAI.15",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "subcategory": "オブザーバビリティ",
+            "text": "診断が十分でない場合は、Azure OpenAI の前で Azure API Management などのゲートウェイを使用して、受信プロンプトと送信応答の両方をログに記録することを検討してください (許可されている場合)",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "id": "AOAI.16",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "インフラストラクチャの展開",
+            "text": "コードとしてのインフラストラクチャを使用して、Azure OpenAI Service、モデル デプロイ、およびすべての関連リソースをデプロイします",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "id": "AOAI.17",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "認証",
+            "text": "API キーの代わりにマネージド ID で Microsoft Entra 認証を使用する",
+            "waf": "安全"
+        },
+        {
+            "category": "責任あるAI",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "id": "AOAI.18",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "評価",
+            "text": "入力と正しい答えを持つ既知のゴールデンデータセットを使用して、システムのパフォーマンス/精度を評価します。PromptFlowの機能を評価に活用します。",
+            "waf": "運用上のエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "id": "AOAI.19",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ホスティングモデル",
+            "text": "プロビジョニング済みスループットモデルの使用状況の評価",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "責任あるAI",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "id": "AOAI.2",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "コンテンツの安全性",
+            "text": "Azure AI コンテンツの安全性を確認して実装する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "id": "AOAI.20",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "スループットの定義",
+            "text": "トークンと1分あたりのレスポンスに基づいてシステムのスループットを定義および評価し、要件に合わせます",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "id": "AOAI.21",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "レイテンシーの改善",
+            "text": "トークンサイズ、ストリーミングオプションを制限することにより、システムのレイテンシーを改善します",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "id": "AOAI.22",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "弾力性の分離",
+            "text": "弾力性の要求を見積もり、優先順位に基づいて同期要求とバッチ要求の分離を決定します。優先度が高い場合は同期アプローチを使用し、優先度が低い場合はキューを使用した非同期バッチ処理が推奨されます",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "id": "AOAI.23",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ベンチマーク",
+            "text": "消費者からの推定需要に基づくトークン消費要件のベンチマーク。プロビジョニングされたスループット ユニットのデプロイを使用している場合は、Azure OpenAI ベンチマーク ツールを使用してスループットを検証することを検討してください",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "id": "AOAI.24",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "弾性",
+            "text": "プロビジョニングされたスループットユニット (PTU) を使用している場合は、オーバーフローリクエストに対して Token-Per Minute (TPM) デプロイメントをデプロイすることを検討してください。ゲートウェイを使用して、PTU の制限に達したときに要求を TPM デプロイにルーティングします。",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "id": "AOAI.25",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "モデルの選択",
+            "text": "適切なタスクに適したモデルを選択してください。速度、応答の品質、出力の複雑さの間で適切なトレードオフを持つモデルを選択する",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "id": "AOAI.26",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "微調整",
+            "text": "微調整によってモデルのパフォーマンスが向上したかどうかを知るための微調整を行わずに、パフォーマンスのベースラインを設定する",
+            "waf": "パフォーマンス"
+        },
+        {
+            "category": "BC と DR",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "id": "AOAI.27",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "subcategory": "マルチリージョン アーキテクチャ",
+            "text": "複数のOAIインスタンスを複数のリージョンにデプロイする",
+            "waf": "確実"
+        },
+        {
+            "category": "BC と DR",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "id": "AOAI.28",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ロードバランシング",
+            "text": "APIM のようなゲートウェイ パターンを使用した再試行とヘルスチェックの実装",
+            "waf": "確実"
+        },
+        {
+            "category": "BC と DR",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "id": "AOAI.29",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "クォータ",
+            "text": "ワークロードに対してTPMとRPMの適切なクォータがあることを確認します",
+            "waf": "確実"
+        },
+        {
+            "category": "責任あるAI",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "id": "AOAI.3",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "UX のベスト プラクティス",
+            "text": "HAIツールキットガイダンスの考慮事項を確認し、それらの相互作用の実践をslutionに適用します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "BC と DR",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "id": "AOAI.30",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "ロードバランシング",
+            "text": "ファインチューニングが採用されている場合は、リージョン間で個別の微調整モデルをデプロイします",
+            "waf": "確実"
+        },
+        {
+            "category": "BC と DR",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "id": "AOAI.31",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "データバックアップとディザスタリカバリ",
+            "text": "重要なデータを定期的にバックアップおよびレプリケートして、データの損失やシステム障害が発生した場合のデータの可用性と回復性を確保します。Azure のバックアップおよびディザスター リカバリー サービスを活用して、データを保護します。",
+            "waf": "確実"
+        },
+        {
+            "category": "BC と DR",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "id": "AOAI.32",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "SLA に関する考慮事項",
+            "text": "Azure AI Search サービス レベルは、SLA を持つために選択する必要があります",
+            "waf": "確実"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "id": "AOAI.33",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "subcategory": "データの機密性",
+            "text": "データと機密性を分類し、埋め込みを生成する前に Microsoft Purview でラベル付けし、生成された埋め込みを同じ感度と分類で処理するようにしてください",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "id": "AOAI.34",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "保存時の暗号化",
+            "text": "SSE/ディスク暗号化(オプションのBYOKを使用)を使用してRAGに使用されるデータを暗号化",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "id": "AOAI.35",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "トランジット暗号化",
+            "text": "データソース間で転送されるデータ、Retrieval-Augmented Generation(RAG)およびLLM通信に使用されるAI検索にTLSが適用されていることを確認します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "id": "AOAI.36",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "アクセス制御",
+            "text": "RBAC を使用して、Azure OpenAI サービスへのアクセスを管理します。ユーザーに適切な権限を割り当て、ユーザーの役割と責任に基づいてアクセスを制限します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "id": "AOAI.37",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "データマスキングとリダクション",
+            "text": "データの暗号化、マスキング、または編集技術を実装して、機密データを非表示にしたり、非本番環境で難読化された値に置き換えたり、テストやトラブルシューティングの目的でデータを共有する場合",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "id": "AOAI.38",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "脅威の検出と監視",
+            "text": "Azure Defender を利用して、セキュリティの脅威を検出して対応し、監視とアラートのメカニズムを設定して、疑わしいアクティビティや侵害を特定します。Azure Sentinel を活用して高度な脅威の検出と対応を実現",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "id": "AOAI.39",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "データの保持と廃棄",
+            "text": "コンプライアンス規制を遵守するためのデータ保持および廃棄ポリシーを確立します。不要になったデータに対して安全な削除方法を実装し、データの保持と廃棄活動の監査証跡を維持します",
+            "waf": "安全"
+        },
+        {
+            "category": "責任あるAI",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "id": "AOAI.4",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "脱獄の安全性",
+            "text": "Content Safety を使用した Prompt シールドと接地検出の実装",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "id": "AOAI.40",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "データのプライバシーとコンプライアンス",
+            "text": "GDPRやHIPAAなどの関連するデータ保護規制への準拠を確保するには、プライバシー制御を実装し、データ処理活動に必要な同意または許可を取得します。",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "id": "AOAI.41",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "従業員の意識向上と教育",
+            "text": "データセキュリティのベストプラクティス、データの安全な取り扱いの重要性、データ侵害に関連する潜在的なリスクについて、従業員を教育します。データセキュリティプロトコルに熱心に従うように促します。",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "id": "AOAI.42",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "環境の分離",
+            "text": "運用データを開発データやテストデータから分離します。本番環境では実際の機密データのみを使用し、開発環境やテスト環境では匿名化されたデータや合成データを利用します。",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "id": "AOAI.43",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "インデックスの分離",
+            "text": "データの機密性のレベルが異なる場合は、レベルごとに個別のインデックスを作成することを検討してください。たとえば、一般的なデータ用に 1 つのインデックスを作成し、機密データ用に別のインデックスを作成し、それぞれ異なるアクセス プロトコルで管理することができます",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "id": "AOAI.44",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "個別のインスタンス内の機密データ",
+            "text": "分離をさらに一歩進めて、機密性の高いデータセットをサービスの異なるインスタンスに配置します。各インスタンスは、独自のRBACポリシーのセットで制御できます",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "id": "AOAI.45",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "埋め込みとベクター処理",
+            "text": "機密情報から生成された埋め込みとベクトルは、それ自体が機密性が高いことを認識します。このデータには、ソースマテリアルと同じ保護対策を提供する必要があります",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "id": "AOAI.46",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "アクセス制御",
+            "text": "埋め込みとベクトルを持つデータストアに RBAC を適用し、ロールのアクセス要件に基づいてアクセスのスコープを設定します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "id": "AOAI.47",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ネットワークセキュリティ",
+            "text": "AI サービスのプライベート エンドポイントを構成して、ネットワーク内のサービス アクセスを制限します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "id": "AOAI.48",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ネットワークセキュリティ",
+            "text": "Azure Firewall と UDR を使用して受信と送信のトラフィック制御を厳密に適用し、外部統合ポイントを制限します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "id": "AOAI.49",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "ネットワークアクセスの制御",
+            "text": "ネットワークのセグメンテーションとアクセス制御を実装して、LLMアプリケーションへのアクセスを許可されたユーザーとシステムのみに制限し、横方向の移動を防ぎます",
+            "waf": "安全"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "id": "AOAI.5",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "トークンの最適化",
+            "text": "LLMLingua や gprtrim などのプロンプト圧縮ツールを使用します",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "id": "AOAI.50",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "安全なAPIとエンドポイント",
+            "text": "LLM アプリケーションで使用される API とエンドポイントが、マネージド ID、API キー、OAuth などの認証および承認メカニズムで適切に保護され、不正アクセスを防止します。",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "id": "AOAI.51",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "強力な認証の実装",
+            "text": "多要素認証などの強力なエンドユーザー認証メカニズムを適用して、LLMアプリケーションおよび関連するネットワークリソースへの不正アクセスを防止します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "id": "AOAI.52",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "ネットワーク監視を使用する",
+            "text": "ネットワーク監視ツールを実装して、疑わしいアクティビティや悪意のあるアクティビティのネットワークトラフィックを検出および分析します。ロギングを有効にしてネットワークイベントをキャプチャし、セキュリティインシデントが発生した場合のフォレンジック分析を容易にします",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "id": "AOAI.53",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "セキュリティ監査と侵入テスト",
+            "text": "セキュリティ監査と侵入テストを実施して、LLMアプリケーションのネットワークインフラストラクチャのネットワークセキュリティの弱点または脆弱性を特定して対処します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "id": "AOAI.54",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "subcategory": "インフラストラクチャの展開",
+            "text": "Azure AI Services は、管理を改善するために適切にタグ付けされています",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "id": "AOAI.55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "subcategory": "インフラストラクチャの展開",
+            "text": "Azure AI Service アカウントは、組織の名前付け規則に従います",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "id": "AOAI.56",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "診断のログ",
+            "text": "Azure AI サービス リソースの診断ログを有効にする必要がある",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "ID およびアクセス管理",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "id": "AOAI.57",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "Entra IDベースのアクセス",
+            "text": "セキュリティのため、キーアクセス(ローカル認証)を無効にすることをお勧めします。 キーベースのアクセスを無効にすると、Microsoft Entra IDが唯一のアクセス方法になり、最小限の特権原則ときめ細かな制御を維持できます。",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "id": "AOAI.58",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "セキュアなキー管理",
+            "text": "Azure Key Vault を使用して、キーを安全に保存および管理します。LLM アプリケーションのコード内で機密性の高いキーをハードコーディングしたり埋め込んだりすることを避け、マネージド ID を使用して Azure Key Vault から安全に取得します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "id": "AOAI.59",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "キーのローテーションと有効期限",
+            "text": "Azure Key Vault に格納されているキーを定期的にローテーションして期限切れにすることで、不正アクセスのリスクを最小限に抑えます。",
+            "waf": "安全"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "id": "AOAI.6",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "トークンの最適化",
+            "text": "tiktokenを使用して、会話モードでのトークン最適化のためのトークンサイズを理解します",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "id": "AOAI.60",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "安全なコーディングの実践",
+            "text": "安全なコーディング手法に従って、インジェクション攻撃、クロスサイトスクリプティング(XSS)、セキュリティ設定の誤りなどの一般的な脆弱性を防止します",
+            "waf": "安全"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "id": "AOAI.61",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "パッチ適用と更新",
+            "text": "LLM ライブラリとその他のシステム コンポーネントを定期的に更新し、パッチを適用するプロセスを設定します",
+            "waf": "安全"
+        },
+        {
+            "category": "責任あるAI",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "id": "AOAI.62",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "統治",
+            "text": "Azure OpenAI またはその他の LLM の利用規約、ポリシー、ガイダンス、および許可されたユース ケースを順守する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "id": "AOAI.63",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "コストの習熟度",
+            "text": "基本モデルと微調整されたモデルおよびトークンのステップサイズのコストの違いを理解する",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "id": "AOAI.64",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "バッチ処理",
+            "text": "可能であれば、呼び出しごとのオーバーヘッドを最小限に抑え、全体的なコストを削減できるバッチ要求。バッチサイズを確実に最適化する",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "id": "AOAI.65",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "コスト監視",
+            "text": "モデルの使用状況を監視するコスト追跡システムを設定し、その情報を使用してモデルの選択とプロンプトのサイズを通知します",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "id": "AOAI.66",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "トークン制限",
+            "text": "モデル応答あたりのトークン数に上限を設定します。サイズを最適化して、有効な応答に十分な大きさになるようにします",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "id": "AOAI.67",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "AI検索の信頼性",
+            "text": "信頼性のための AI 検索の設定に関するガイダンスを確認します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "id": "AOAI.68",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "AI 検索ベクトルの制限",
+            "text": "AI Search Vector ストレージの計画と管理",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "id": "AOAI.69",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "DevOpsの",
+            "text": "LLMOpsプラクティスを適用して、GenAIアプリケーションのライフサイクル管理を自動化します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "id": "AOAI.7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "原価計算モデル",
+            "text": "請求モデルの使用状況の評価 - PAYG と PTU の比較",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "id": "AOAI.70",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "DevOpsの",
+            "text": "モデルバージョンを切り替える際のプロンプトとアプリケーションの品質を評価する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "id": "AOAI.71",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "発達",
+            "text": "GenAIアプリを評価、監視、改良して、接地性、関連性、精度、一貫性、流暢さなどの機能を確認します。",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "id": "AOAI.72",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "発達",
+            "text": "さまざまな検索パラメーターに基づいて Azure AI Search の結果を評価する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "id": "AOAI.73",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "発達",
+            "text": "精度を向上させる方法としてモデルの微調整を検討するのは、データを使用してプロンプトエンジニアリングやRAGなどの他の基本的なアプローチを試した場合のみです",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "id": "AOAI.74",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "発達",
+            "text": "プロンプトエンジニアリング手法を使用して、LLM応答の精度を向上させる",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "ガバナンスとセキュリティ",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "id": "AOAI.75",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "セキュリティ監査と侵入テスト",
+            "text": "GenAIアプリケーションをレッドチーム化",
+            "waf": "安全"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "id": "AOAI.76",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "エンドユーザーのフィードバック",
+            "text": "エンドユーザーにLLM応答のスコアリングオプションを提供し、これらのスコアを追跡します。",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "category": "コストの最適化",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "id": "AOAI.8",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "subcategory": "クォータ管理",
+            "text": "クォータ管理の実践を検討する",
+            "waf": "コストの最適化"
+        },
+        {
+            "category": "オペレーションマネジメント",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "id": "AOAI.9",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "subcategory": "ロードバランシング",
+            "text": "APIM ベースのゲートウェイなどのロード バランサー ソリューションを使用して、サービスやリージョン間で負荷と容量を分散します",
+            "waf": "オペレーショナルエクセレンス"
+        }
+    ],
+    "metadata": {
+        "name": "Azure OpenAI Review",
+        "state": "Preview",
+        "timestamp": "July 23, 2024",
+        "waf": "all"
+    },
+    "severities": [
+        {
+            "name": "高い"
+        },
+        {
+            "name": "中程度"
+        },
+        {
+            "name": "低い"
+        }
+    ],
+    "status": [
+        {
+            "description": "このチェックはまだ見ていません",
+            "name": "未確認"
+        },
+        {
+            "description": "このチェックにはアクションアイテムが関連付けられています",
+            "name": "開ける"
+        },
+        {
+            "description": "このチェックは検証済みであり、これ以上のアクション アイテムは関連付けられていません",
+            "name": "達成"
+        },
+        {
+            "description": "推奨事項は理解されているが、現在の要件では必要ではない",
+            "name": "必須ではありません"
+        },
+        {
+            "description": "現在のデザインには適用されません",
+            "name": "該当なし"
+        }
+    ],
+    "waf": [
+        {
+            "name": "確実"
+        },
+        {
+            "name": "安全"
+        },
+        {
+            "name": "費用"
+        },
+        {
+            "name": "オペレーションズ"
+        },
+        {
+            "name": "パフォーマンス"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "はい"
+        },
+        {
+            "name": "いいえ"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/aoai_checklist.ko.json b/checklists/aoai_checklist.ko.json
new file mode 100644
index 000000000..f08217a56
--- /dev/null
+++ b/checklists/aoai_checklist.ko.json
@@ -0,0 +1,920 @@
+{
+    "categories": [
+        {
+            "name": "ID 및 액세스 관리"
+        },
+        {
+            "name": "네트워크 토폴로지 및 연결성"
+        },
+        {
+            "name": "BC 및 DR"
+        },
+        {
+            "name": "거버넌스 및 보안"
+        },
+        {
+            "name": "비용 관리"
+        },
+        {
+            "name": "운영 관리"
+        },
+        {
+            "name": "응용 프로그램 배포"
+        },
+        {
+            "name": "책임감 있는 AI"
+        }
+    ],
+    "items": [
+        {
+            "category": "책임감 있는 AI",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "id": "AOAI.1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "메타프롬프트",
+            "text": "공명형 AI를 위한 Metaprompting 가드레일 따르기",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "id": "AOAI.10",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "로드 밸런싱",
+            "text": "더 나은 속도 제한, 부하 분산, 인증 및 로깅을 위해 APIM 또는 AI Central과 같은 솔루션을 사용하여 게이트웨이 패턴을 고려합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "id": "AOAI.11",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "모니터링",
+            "text": "AOAI 인스턴스에 대한 모니터링 활성화",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "id": "AOAI.12",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "경고",
+            "text": "리소스에 대해 수행된 작업(예: 구독 키 다시 생성) 또는 메트릭 임계값(예: 한 시간에 10을 초과하는 오류 수)에 의해 생성된 활동 로그의 항목과 같은 이벤트를 팀에 알리는 경고를 만듭니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "id": "AOAI.13",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "모니터링",
+            "text": "용량으로 인한 서비스 중단을 방지하기 위해 토큰 사용량을 모니터링합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "id": "AOAI.14",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "관찰 가능성",
+            "text": "처리된 추론 토큰, 생성된 완료 토큰, 속도 제한 모니터링과 같은 메트릭 관찰",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "id": "AOAI.15",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "subcategory": "관찰 가능성",
+            "text": "진단이 충분하지 않은 경우 Azure OpenAI 앞에 있는 Azure API Managements와 같은 게이트웨이를 사용하여 허용되는 경우 들어오는 프롬프트와 나가는 응답을 모두 기록하는 것이 좋습니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "id": "AOAI.16",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "인프라스트럭처 구축",
+            "text": "Infrastructure as code를 사용하여 Azure OpenAI Service, 모델 배포 및 모든 관련 리소스를 배포합니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "id": "AOAI.17",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "인증",
+            "text": "API 키 대신 관리 ID로 Microsoft Entra 인증 사용",
+            "waf": "안전"
+        },
+        {
+            "category": "책임감 있는 AI",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "id": "AOAI.18",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "평가",
+            "text": "입력과 정답이 있는 알려진 골든 데이터 세트를 사용하여 시스템의 성능/정확도를 평가합니다. 평가를 위해 PromptFlow의 기능을 활용합니다.",
+            "waf": "운영 엑셀런스"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "id": "AOAI.19",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "호스팅 모델",
+            "text": "프로비저닝된 처리량 모델의 사용 평가 ",
+            "waf": "공연"
+        },
+        {
+            "category": "책임감 있는 AI",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "id": "AOAI.2",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "콘텐츠 안전성",
+            "text": "Azure AI 콘텐츠 안전성 검토 및 구현",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "id": "AOAI.20",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "처리량 정의",
+            "text": "분당 토큰 및 응답을 기반으로 시스템의 처리량을 정의 및 평가하고 요구 사항에 맞춥니다.",
+            "waf": "공연"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "id": "AOAI.21",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "지연 시간 개선",
+            "text": "토큰 크기, 스트리밍 옵션을 제한하여 시스템의 대기 시간을 개선합니다.",
+            "waf": "공연"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "id": "AOAI.22",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "탄력성 분리",
+            "text": "탄력성 요구를 예측하여 우선 순위에 따라 동기 및 일괄 처리 요청 분리를 결정합니다. 우선 순위가 높은 경우 동기 접근 방식을 사용하고 낮은 우선 순위의 경우 큐를 사용한 비동기 일괄 처리가 선호됩니다",
+            "waf": "공연"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "id": "AOAI.23",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "벤치마킹",
+            "text": "소비자의 예상 수요를 기반으로 토큰 사용 요구 사항을 벤치마킹합니다. 프로비저닝된 처리량 단위 배포를 사용하는 경우 처리량의 유효성을 검사하는 데 도움이 되도록 Azure OpenAI 벤치마킹 도구를 사용하는 것이 좋습니다",
+            "waf": "공연"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "id": "AOAI.24",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "탄력 ",
+            "text": "PTU(프로비저닝된 처리량 단위)를 사용하는 경우 오버플로 요청에 대한 TPM(분당 토큰) 배포를 배포하는 것이 좋습니다. 게이트웨이를 사용하여 PTU 제한에 도달할 때 TPM 배포로 요청을 라우팅합니다.",
+            "waf": "공연"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "id": "AOAI.25",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "모델 선택",
+            "text": "올바른 작업에 적합한 모델을 선택하십시오. 속도, 응답 품질 및 출력 복잡성 간에 적절한 절충점이 있는 모델 선택",
+            "waf": "공연"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "id": "AOAI.26",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "미세 조정",
+            "text": "미세 조정으로 모델 성능이 향상되었는지 여부를 파악하기 위해 미세 조정 없이 성능에 대한 기준이 있습니다.",
+            "waf": "공연"
+        },
+        {
+            "category": "BC 및 DR",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "id": "AOAI.27",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "subcategory": "다중 지역 아키텍처Multi-region architecture",
+            "text": "여러 지역에 여러 OAI 인스턴스 배포",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "BC 및 DR",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "id": "AOAI.28",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "로드 밸런싱",
+            "text": "APIM과 같은 게이트웨이 패턴을 사용하여 재시도 및 상태 확인 구현Implement retry & healthchecks with gateway pattern like APIM",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "BC 및 DR",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "id": "AOAI.29",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "할당량",
+            "text": "워크로드에 대한 TPM 및 RPM의 적절한 할당량이 있는지 확인합니다.",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "책임감 있는 AI",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "id": "AOAI.3",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "UX 모범 사례",
+            "text": "HAI 도구 키트 지침의 고려 사항을 검토하고 slution에 대한 이러한 상호 작용 방법을 적용합니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "BC 및 DR",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "id": "AOAI.30",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "로드 밸런싱",
+            "text": "미세 조정이 사용되는 경우 지역 간에 별도의 미세 조정된 모델을 배포합니다.",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "BC 및 DR",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "id": "AOAI.31",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "데이터 백업 및 재해 복구",
+            "text": "중요한 데이터를 정기적으로 백업 및 복제하여 데이터 손실 또는 시스템 장애 발생 시 데이터 가용성과 복구 가능성을 보장합니다. Azure의 백업 및 재해 복구 서비스를 활용하여 데이터를 보호하세요.",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "BC 및 DR",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "id": "AOAI.32",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "SLA 고려 사항",
+            "text": "SLA를 갖도록 Azure AI 검색 서비스 계층을 선택해야 합니다. ",
+            "waf": "신뢰도"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "id": "AOAI.33",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "subcategory": "데이터 민감도",
+            "text": "임베딩을 생성하기 전에 데이터 및 민감도를 분류하고 Microsoft Purview를 사용하여 레이블을 지정하고 생성된 임베딩을 동일한 민감도 및 분류로 처리해야 합니다",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "id": "AOAI.34",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "저장 데이터 암호화",
+            "text": "BYOK(옵션)를 사용한 SSE/디스크 암호화로 RAG에 사용되는 데이터 암호화",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "id": "AOAI.35",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "트랜짓 암호화",
+            "text": "데이터 소스 간 전송 중인 데이터, RAG(Retrieval-Augmented Generation) 및 LLM 통신에 사용되는 AI 검색에 TLS가 적용되는지 확인합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "id": "AOAI.36",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "출입 통제",
+            "text": "RBAC를 사용하여 Azure OpenAI 서비스에 대한 액세스를 관리합니다. 사용자에게 적절한 권한을 할당하고 사용자의 역할과 책임에 따라 액세스를 제한합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "id": "AOAI.37",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "데이터 마스킹 및 수정",
+            "text": "데이터 암호화, 마스킹 또는 수정 기술을 구현하여 비프로덕션 환경에서 또는 테스트 또는 문제 해결을 위해 데이터를 공유할 때 민감한 데이터를 숨기거나 난독화된 값으로 대체합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "id": "AOAI.38",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "위협 탐지 및 모니터링",
+            "text": "Azure Defender를 활용하여 보안 위협을 탐지 및 대응하고 의심스러운 활동 또는 위반을 식별하기 위한 모니터링 및 경고 메커니즘을 설정합니다. 고급 위협 탐지 및 대응을 위해 Azure Sentinel 활용",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "id": "AOAI.39",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "데이터 보유 및 폐기",
+            "text": "규정 준수 규정을 준수하기 위해 데이터 보존 및 폐기 정책을 수립합니다. 더 이상 필요하지 않은 데이터에 대한 안전한 삭제 방법을 구현하고 데이터 보존 및 폐기 활동에 대한 감사 추적을 유지 관리합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "책임감 있는 AI",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "id": "AOAI.4",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "탈옥 안전",
+            "text": "Content Safety를 사용하여 Prompt shields 및 groundedness detection 구현 ",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "id": "AOAI.40",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "데이터 개인 정보 보호 및 규정 준수",
+            "text": "개인 정보 보호 제어를 구현하고 데이터 처리 활동에 필요한 동의 또는 권한을 얻어 GDPR 또는 HIPAA와 같은 관련 데이터 보호 규정을 준수하도록 합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "id": "AOAI.41",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "직원 인식 제고 및 교육",
+            "text": "데이터 보안 모범 사례, 데이터 안전한 처리의 중요성, 데이터 침해와 관련된 잠재적 위험에 대해 직원을 교육합니다. 데이터 보안 프로토콜을 성실히 따르도록 권장합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "id": "AOAI.42",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "환경 분리",
+            "text": "생산 데이터를 개발 및 테스트 데이터와 분리합니다. 프로덕션에서는 실제 민감한 데이터만 사용하고 개발 및 테스트 환경에서는 익명 또는 합성 데이터를 활용합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "id": "AOAI.43",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "인덱스 분리",
+            "text": "데이터 민감도 수준이 다양하다면 각 수준에 대해 별도의 인덱스를 만드는 것이 좋습니다. 예를 들어, 일반 데이터에 대한 인덱스와 민감한 데이터에 대한 인덱스가 있을 수 있으며, 각각 다른 액세스 프로토콜에 의해 제어됩니다",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "id": "AOAI.44",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "별도의 인스턴스에 있는 민감한 데이터Sensitive Data in separate instances",
+            "text": "한 단계 더 나아가 중요한 데이터 세트를 서비스의 다른 인스턴스에 배치합니다. 각 인스턴스는 고유한 특정 RBAC 정책 집합으로 제어할 수 있습니다",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "id": "AOAI.45",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "임베딩 및 벡터 처리",
+            "text": "민감한 정보에서 생성된 임베딩과 벡터는 그 자체로 민감하다는 점을 인식해야 합니다. 이 데이터에는 원본 자료와 동일한 보호 조치가 제공되어야 합니다",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "id": "AOAI.46",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "출입 통제",
+            "text": "임베딩 및 벡터가 있는 데이터 저장소에 RBAC를 적용하고 역할의 액세스 요구 사항에 따라 액세스 범위를 지정합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "id": "AOAI.47",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "네트워크 보안",
+            "text": "AI 서비스에 대한 프라이빗 엔드포인트를 구성하여 네트워크 내 서비스 액세스를 제한합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "id": "AOAI.48",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "네트워크 보안",
+            "text": "Azure Firewall 및 UDR을 사용하여 엄격한 인바운드 및 아웃바운드 트래픽 제어를 적용하고 외부 통합 지점을 제한합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "id": "AOAI.49",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "네트워크 액세스 제어",
+            "text": "네트워크 세분화 및 액세스 제어를 구현하여 LLM 애플리케이션에 대한 액세스를 인증된 사용자 및 시스템으로만 제한하고 측면 이동을 방지합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "id": "AOAI.5",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "토큰 최적화",
+            "text": "LLMLingua 또는 gprtrim과 같은 프롬프트 압축 도구 사용",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "id": "AOAI.50",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "API 및 엔드포인트 보안",
+            "text": "LLM 애플리케이션에서 사용하는 API 및 엔드포인트가 관리 ID, API 키 또는 OAuth와 같은 인증 및 권한 부여 메커니즘으로 적절하게 보호되어 무단 액세스를 방지해야 합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "id": "AOAI.51",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "강력한 인증 구현",
+            "text": "다단계 인증(multi-factor authentication)과 같은 강력한 최종 사용자 인증 메커니즘을 적용하여 LLM 애플리케이션 및 관련 네트워크 리소스에 대한 무단 액세스를 방지합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "id": "AOAI.52",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "네트워크 모니터링 사용",
+            "text": "네트워크 모니터링 도구를 구현하여 의심스럽거나 악의적인 활동에 대한 네트워크 트래픽을 탐지하고 분석합니다. 로깅을 활성화하여 네트워크 이벤트를 캡처하고 보안 사고 발생 시 포렌식 분석을 용이하게 합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "id": "AOAI.53",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "보안 감사 및 침투 테스트",
+            "text": "보안 감사 및 침투 테스트를 수행하여 LLM 애플리케이션의 네트워크 인프라에서 네트워크 보안 약점 또는 취약성을 식별하고 해결합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "id": "AOAI.54",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "subcategory": "인프라스트럭처 구축",
+            "text": "Azure AI 서비스는 더 나은 관리를 위해 적절하게 태그가 지정됩니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "id": "AOAI.55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "subcategory": "인프라스트럭처 구축",
+            "text": "Azure AI Service 계정은 조직의 명명 규칙을 따릅니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "id": "AOAI.56",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "진단 로깅",
+            "text": "Azure AI Services 리소스의 진단 로그를 사용하도록 설정해야 함",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "ID 및 액세스 관리",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "id": "AOAI.57",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "Entra ID 기반 액세스",
+            "text": "키 액세스(로컬 인증)는 보안을 위해 사용하지 않도록 설정하는 것이 좋습니다.  키 기반 액세스를 사용하지 않도록 설정하면 Microsoft Entra ID가 유일한 액세스 방법이 되어 최소 권한 원칙과 세분화된 제어를 유지할 수 있습니다. ",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "id": "AOAI.58",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "보안 키 관리",
+            "text": "Azure Key Vault를 사용하여 키를 안전하게 저장하고 관리하세요. LLM 애플리케이션의 코드 내에 중요한 키를 하드 코딩하거나 포함하지 않도록 하고 관리 ID를 사용하여 Azure Key Vault에서 안전하게 검색합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "id": "AOAI.59",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "키 순환 및 만료Key Rotation and Expiration",
+            "text": "Azure Key Vault에 저장된 키를 정기적으로 회전하고 만료하여 무단 액세스의 위험을 최소화합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "id": "AOAI.6",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "토큰 최적화",
+            "text": "tiktoken을 사용하여 대화 모드에서 토큰 최적화를 위한 토큰 크기 이해",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "id": "AOAI.60",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "안전한 코딩 연습",
+            "text": "보안 코딩 관행에 따라 주입 공격, XSS(교차 사이트 스크립팅) 또는 보안 구성 오류와 같은 일반적인 취약성을 방지합니다",
+            "waf": "안전"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "id": "AOAI.61",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "패치 및 업데이트",
+            "text": "LLM 라이브러리와 다른 시스템 컴포넌트를 정기적으로 업데이트하고 패치하는 프로세스를 설정합니다.",
+            "waf": "안전"
+        },
+        {
+            "category": "책임감 있는 AI",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "id": "AOAI.62",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "지배구조",
+            "text": "Azure OpenAI 또는 기타 LLM 사용 약관, 정책 및 지침, 허용되는 사용 사례 준수",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "id": "AOAI.63",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "비용 숙지",
+            "text": "기본 모델과 미세 조정된 모델 및 토큰 단계 크기의 비용 차이를 이해합니다.",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "id": "AOAI.64",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "배치 처리",
+            "text": "가능한 경우 호출당 오버헤드를 최소화하여 전체 비용을 줄일 수 있는 일괄 처리 요청. 배치 크기를 최적화해야 합니다.",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "id": "AOAI.65",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "비용 모니터링",
+            "text": "모델 사용을 모니터링하는 비용 추적 시스템을 설정하고 해당 정보를 사용하여 모델 선택 및 프롬프트 크기를 알립니다",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "id": "AOAI.66",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "토큰 한도",
+            "text": "모델 응답당 토큰 수에 대한 최대 제한을 설정합니다. 유효한 응답에 사용할 수 있을 만큼 충분히 큰지 확인하기 위해 크기를 최적화합니다",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "id": "AOAI.67",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "AI 검색 신뢰성",
+            "text": "안정성을 위한 AI 검색 설정에 대해 제공된 지침을 검토합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "id": "AOAI.68",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "AI 검색 벡터 한계",
+            "text": "AI Search Vector 스토리지 계획 및 관리",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "id": "AOAI.69",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "데브옵스",
+            "text": "LLMOps 사례를 적용하여 GenAI 애플리케이션의 라이프사이클 관리를 자동화합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "id": "AOAI.7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "원가 계산 모델",
+            "text": "청구 모델 사용 평가 - PAYG 대 PTU",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "id": "AOAI.70",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "데브옵스",
+            "text": "모델 버전 간에 전환할 때 프롬프트와 응용 프로그램의 품질을 평가합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "id": "AOAI.71",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "발달",
+            "text": "GenAI 앱을 평가, 모니터링 및 개선하여 근거, 관련성, 정확성, 일관성, 유창성 등의 기능을 제공합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "id": "AOAI.72",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "발달",
+            "text": "다양한 검색 매개 변수를 기반으로 Azure AI Search 결과를 평가합니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "id": "AOAI.73",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "발달",
+            "text": "데이터를 사용하여 프롬프트 엔지니어링 및 RAG와 같은 다른 기본 접근 방식을 시도한 경우에만 모델을 미세 조정하여 정확도를 높이는 방법으로 살펴보십시오",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "id": "AOAI.74",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "발달",
+            "text": "프롬프트 엔지니어링 기법을 사용하여 LLM 응답의 정확도 향상",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "거버넌스 및 보안",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "id": "AOAI.75",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "보안 감사 및 침투 테스트",
+            "text": "GenAI 애플리케이션을 위한 레드 팀",
+            "waf": "안전"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "id": "AOAI.76",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "최종 사용자 피드백",
+            "text": "최종 사용자에게 LLM 응답에 대한 점수 매기기 옵션을 제공하고 이러한 점수를 추적합니다. ",
+            "waf": "운영 우수성"
+        },
+        {
+            "category": "비용 최적화",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "id": "AOAI.8",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "subcategory": "할당량 관리",
+            "text": "할당량 관리 방법 고려",
+            "waf": "비용 최적화"
+        },
+        {
+            "category": "운영 관리",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "id": "AOAI.9",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "subcategory": "로드 밸런싱",
+            "text": "APIM 기반 게이트웨이와 같은 Load Balancer 솔루션을 사용하여 서비스 및 지역 간에 부하와 용량을 분산합니다",
+            "waf": "운영 우수성"
+        }
+    ],
+    "metadata": {
+        "name": "Azure OpenAI Review",
+        "state": "Preview",
+        "timestamp": "July 23, 2024",
+        "waf": "all"
+    },
+    "severities": [
+        {
+            "name": "높다"
+        },
+        {
+            "name": "보통"
+        },
+        {
+            "name": "낮다"
+        }
+    ],
+    "status": [
+        {
+            "description": "이 검사는 아직 검토되지 않았습니다",
+            "name": "확인되지 않음"
+        },
+        {
+            "description": "이 검사와 연관된 작업 항목이 있습니다",
+            "name": "열다"
+        },
+        {
+            "description": "이 검사는 확인되었으며 이와 관련된 추가 작업 항목이 없습니다",
+            "name": "성취"
+        },
+        {
+            "description": "권장 사항을 이해하지만 현재 요구 사항에 필요하지 않음",
+            "name": "필요 없음"
+        },
+        {
+            "description": "현재 설계에는 적용되지 않습니다.",
+            "name": "해당 없음"
+        }
+    ],
+    "waf": [
+        {
+            "name": "신뢰도"
+        },
+        {
+            "name": "안전"
+        },
+        {
+            "name": "비용"
+        },
+        {
+            "name": "작업"
+        },
+        {
+            "name": "공연"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "예"
+        },
+        {
+            "name": "아니요"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/aoai_checklist.pt.json b/checklists/aoai_checklist.pt.json
new file mode 100644
index 000000000..28b299c53
--- /dev/null
+++ b/checklists/aoai_checklist.pt.json
@@ -0,0 +1,920 @@
+{
+    "categories": [
+        {
+            "name": "Gerenciamento de identidade e acesso"
+        },
+        {
+            "name": "Topologia e conectividade de rede"
+        },
+        {
+            "name": "BC e DR"
+        },
+        {
+            "name": "Governança e segurança"
+        },
+        {
+            "name": "Governança de custos"
+        },
+        {
+            "name": "Gestão de Operações"
+        },
+        {
+            "name": "Implantação de aplicativos"
+        },
+        {
+            "name": "IA responsável"
+        }
+    ],
+    "items": [
+        {
+            "category": "IA responsável",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "id": "AOAI.1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Metaprompting",
+            "text": "Siga as proteções do Metaprompting para uma IA razoável",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "id": "AOAI.10",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Balanceamento de carga",
+            "text": "Considere padrões de gateway com APIM ou soluções como AI central para melhor limitação de taxa, balanceamento de carga, autenticação e registro",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "id": "AOAI.11",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Monitorização",
+            "text": "Habilitar o monitoramento para suas instâncias AOAI",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "id": "AOAI.12",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Alertas",
+            "text": "Crie alertas para notificar as equipes sobre eventos, como uma entrada no log de atividades criada por uma ação executada no recurso, como regenerar suas chaves de assinatura ou um limite de métrica, como o número de erros que excedem 10 em uma hora",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "id": "AOAI.13",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Monitorização",
+            "text": "Monitore o uso do token para evitar interrupções de serviço devido à capacidade",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "id": "AOAI.14",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Observabilidade",
+            "text": "Observe métricas como tokens de inferência processados, monitoramento de tokens de conclusão gerados para limite de taxa",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "id": "AOAI.15",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "subcategory": "Observabilidade",
+            "text": "Se o diagnóstico não for suficiente para você, considere usar um gateway como o Gerenciamento de API do Azure na frente do Azure OpenAI para registrar prompts de entrada e respostas de saída, quando permitido",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "id": "AOAI.16",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Implantação de infraestrutura",
+            "text": "Usar a infraestrutura como código para implantar o serviço OpenAI do Azure, implantações de modelo e todos os recursos relacionados",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "id": "AOAI.17",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Autenticação",
+            "text": "Usar a autenticação do Microsoft Entra com identidade gerenciada em vez de chave de API",
+            "waf": "Segurança"
+        },
+        {
+            "category": "IA responsável",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "id": "AOAI.18",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Avaliação",
+            "text": "Avalie o desempenho/precisão do sistema com um conjunto de dados dourado conhecido que tenha as entradas e as respostas corretas. Aproveite os recursos do PromptFlow para avaliação.",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "id": "AOAI.19",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Modelo de hospedagem",
+            "text": "Avaliar o uso do modelo de taxa de transferência provisionada ",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "IA responsável",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "id": "AOAI.2",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Segurança de conteúdo",
+            "text": "Examinar e implementar a segurança de conteúdo do Azure AI",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "id": "AOAI.20",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Definição de taxa de transferência",
+            "text": "Defina e avalie a taxa de transferência do sistema com base em tokens e resposta por minuto e alinhe-se aos requisitos",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "id": "AOAI.21",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Melhoria da latência",
+            "text": "Melhore a latência do sistema limitando os tamanhos dos tokens, as opções de streaming",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "id": "AOAI.22",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Segregação de elasticidade",
+            "text": "Estime as demandas de elasticidade para determinar a segregação de solicitações síncronas e em lote com base na prioridade. Para alta prioridade, use a abordagem síncrona e, para baixa prioridade, o processamento em lote assíncrono com fila é preferível",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "id": "AOAI.23",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Avaliação comparativa",
+            "text": "Compare os requisitos de consumo de token com base nas demandas estimadas dos consumidores. Considere usar a ferramenta de benchmarking OpenAI do Azure para ajudá-lo a validar a taxa de transferência se você estiver usando implantações de Unidade de Produtividade Provisionada",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "id": "AOAI.24",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Elasticidade ",
+            "text": "Se você estiver usando PTUs (Unidades de Produtividade Provisionadas), considere implantar uma implantação de token por minuto (TPM) para solicitações de estouro. Use um gateway para rotear solicitações para a implantação do TPM quando os limites de PTU forem atingidos.",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "id": "AOAI.25",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Escolha do modelo",
+            "text": "Escolha o modelo certo para a tarefa certa. Escolha modelos com a compensação certa entre velocidade, qualidade de resposta e complexidade de saída",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "id": "AOAI.26",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Afinar",
+            "text": "Tenha uma linha de base para o desempenho sem ajuste fino para saber se o ajuste fino melhorou ou não o desempenho do modelo",
+            "waf": "Desempenho"
+        },
+        {
+            "category": "BC e DR",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "id": "AOAI.27",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "subcategory": "Arquitetura multirregional",
+            "text": "Implantar várias instâncias de OAI em regiões",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "BC e DR",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "id": "AOAI.28",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Balanceamento de carga",
+            "text": "Implemente novas tentativas e verificações de integridade com o padrão de Gateway como APIM",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "BC e DR",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "id": "AOAI.29",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Quotas",
+            "text": "Garantir que tenha cotas adequadas de TPM e RPM para a carga de trabalho",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "IA responsável",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "id": "AOAI.3",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Prática recomendada de UX",
+            "text": "Revise as considerações nas diretrizes do kit de ferramentas HAI e aplique essas práticas de interação para a análise",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "BC e DR",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "id": "AOAI.30",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Balanceamento de carga",
+            "text": "Implantar modelos ajustados separados entre regiões se o ajuste fino for empregado",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "BC e DR",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "id": "AOAI.31",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Backup de dados e recuperação de desastres",
+            "text": "Faça backup e replique regularmente dados críticos para garantir a disponibilidade e a capacidade de recuperação dos dados em caso de perda de dados ou falhas do sistema. Aproveite os serviços de backup e recuperação de desastre do Azure para proteger seus dados.",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "BC e DR",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "id": "AOAI.32",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Considerações sobre SLA",
+            "text": "As camadas de serviço de pesquisa de IA do Azure devem ser escolhidas para ter um SLA ",
+            "waf": "Fiabilidade"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "id": "AOAI.33",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "subcategory": "Sensibilidade de dados",
+            "text": "Classifique os dados e a confidencialidade, rotulando com o Microsoft Purview antes de gerar as inserções e certifique-se de tratar as inserções geradas com a mesma confidencialidade e classificação",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "id": "AOAI.34",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Criptografia em repouso",
+            "text": "Criptografar dados usados para RAG com criptografia SSE/Disco com BYOK opcional",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "id": "AOAI.35",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Criptografia de trânsito",
+            "text": "Certifique-se de que o TLS seja aplicado para dados em trânsito entre fontes de dados, pesquisa de IA usada para RG (Geração Aumentada por Recuperação) e comunicação LLM",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "id": "AOAI.36",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Controle de acesso",
+            "text": "Use o RBAC para gerenciar o acesso aos serviços do OpenAI do Azure. Atribua permissões apropriadas aos usuários e restrinja o acesso com base em suas funções e responsabilidades",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "id": "AOAI.37",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Mascaramento e redação de dados",
+            "text": "Implemente técnicas de criptografia, mascaramento ou redação de dados para ocultar dados confidenciais ou substituí-los por valores ofuscados em ambientes de não produção ou ao compartilhar dados para fins de teste ou solução de problemas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "id": "AOAI.38",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Detecção e monitoramento de ameaças",
+            "text": "Utilize o Azure Defender para detectar e responder a ameaças de segurança e configurar mecanismos de monitoramento e alerta para identificar atividades suspeitas ou violações. Aproveite o Azure Sentinel para detecção e resposta avançadas a ameaças",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "id": "AOAI.39",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Retenção e descarte de dados",
+            "text": "Estabeleça políticas de retenção e descarte de dados para cumprir os regulamentos de conformidade. Implemente métodos de exclusão segura para dados que não são mais necessários e mantenha uma trilha de auditoria das atividades de retenção e descarte de dados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "IA responsável",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "id": "AOAI.4",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Segurança de fuga da prisão",
+            "text": "Implementar proteções imediatas e detecção de aterramento usando a Segurança de conteúdo ",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "id": "AOAI.40",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Privacidade e conformidade de dados",
+            "text": "Garanta a conformidade com os regulamentos de proteção de dados relevantes, como GDPR ou HIPAA, implementando controles de privacidade e obtendo os consentimentos ou permissões necessários para atividades de processamento de dados.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "id": "AOAI.41",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Conscientização e treinamento de funcionários",
+            "text": "Eduque seus funcionários sobre as melhores práticas de segurança de dados, a importância de lidar com dados com segurança e os possíveis riscos associados a violações de dados. Incentive-os a seguir os protocolos de segurança de dados diligentemente.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "id": "AOAI.42",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Segregação ambiental",
+            "text": "Mantenha os dados de produção separados dos dados de desenvolvimento e teste. Use apenas dados confidenciais reais na produção e utilize dados anônimos ou sintéticos em ambientes de desenvolvimento e teste.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "id": "AOAI.43",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Segregação de índice",
+            "text": "Se você tiver níveis variados de confidencialidade de dados, considere criar índices separados para cada nível. Por exemplo, você pode ter um índice para dados gerais e outro para dados confidenciais, cada um regido por diferentes protocolos de acesso",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "id": "AOAI.44",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Dados confidenciais em instâncias separadas",
+            "text": "Leve a segregação um passo adiante, colocando conjuntos de dados confidenciais em diferentes instâncias do serviço. Cada instância pode ser controlada com seu próprio conjunto específico de políticas RBAC",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "id": "AOAI.45",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Incorporação e manipulação de vetores",
+            "text": "Reconheça que incorporações e vetores gerados a partir de informações confidenciais são eles próprios sensíveis. Esses dados devem receber as mesmas medidas de proteção que o material de origem",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "id": "AOAI.46",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Controle de acesso",
+            "text": "Aplique o RBAC aos armazenamentos de dados com incorporações e vetores e acesso ao escopo com base nos requisitos de acesso da função",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "id": "AOAI.47",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Segurança de rede",
+            "text": "Configurar o ponto de extremidade privado para serviços de IA para restringir o acesso ao serviço em sua rede",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "id": "AOAI.48",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Segurança de rede",
+            "text": "Imponha um controle estrito de tráfego de entrada e saída com o Firewall do Azure e UDRs e limite os pontos de integração externos",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "id": "AOAI.49",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Controle o acesso à rede",
+            "text": "Implemente segmentação de rede e controles de acesso para restringir o acesso ao aplicativo LLM apenas a usuários e sistemas autorizados e evitar movimentos laterais",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "id": "AOAI.5",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Otimização de token",
+            "text": "Use ferramentas de compactação imediatas como LLMLingua ou gprtrim",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "id": "AOAI.50",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "APIs e endpoints seguros",
+            "text": "Certifique-se de que as APIs e os endpoints usados pelo aplicativo LLM estejam devidamente protegidos com mecanismos de autenticação e autorização, como identidades gerenciadas, chaves de API ou OAuth, para impedir o acesso não autorizado.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "id": "AOAI.51",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Implementar autenticação forte",
+            "text": "Aplique mecanismos fortes de autenticação do usuário final, como autenticação multifator, para impedir o acesso não autorizado ao aplicativo LLM e aos recursos de rede associados",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "id": "AOAI.52",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Usar o monitoramento de rede",
+            "text": "Implemente ferramentas de monitoramento de rede para detectar e analisar o tráfego de rede em busca de atividades suspeitas ou maliciosas. Habilite o registro para capturar eventos de rede e facilitar a análise forense em caso de incidentes de segurança",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "id": "AOAI.53",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Auditorias de segurança e testes de penetração",
+            "text": "Realize auditorias de segurança e testes de penetração para identificar e resolver quaisquer pontos fracos ou vulnerabilidades de segurança de rede na infraestrutura de rede do aplicativo LLM",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "id": "AOAI.54",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "subcategory": "Implantação de infraestrutura",
+            "text": "Os Serviços de IA do Azure são marcados corretamente para melhor gerenciamento",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "id": "AOAI.55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "subcategory": "Implantação de infraestrutura",
+            "text": "As contas do Serviço de IA do Azure seguem as convenções de nomenclatura organizacional",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "id": "AOAI.56",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Log de diagnóstico",
+            "text": "Os logs de diagnóstico nos recursos de serviços de IA do Azure devem ser habilitados",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gerenciamento de identidade e acesso",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "id": "AOAI.57",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Acesso baseado em ID de entrada",
+            "text": "Recomenda-se que o acesso à chave (autenticação local) seja desabilitado por segurança.  Depois de desabilitar o acesso baseado em chave, o Microsoft Entra ID se torna o único método de acesso, o que permite manter o princípio de privilégio mínimo e o controle granular. ",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "id": "AOAI.58",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Gerenciamento seguro de chaves",
+            "text": "Armazene e gerencie chaves com segurança usando o Azure Key Vault. Evite codificar ou inserir chaves confidenciais no código do aplicativo LLM e recuperá-las com segurança do Azure Key Vault usando identidades gerenciadas",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "id": "AOAI.59",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Rotação e expiração de chaves",
+            "text": "Gire e expire regularmente as chaves armazenadas no Azure Key Vault para minimizar o risco de acesso não autorizado.",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "id": "AOAI.6",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Otimização de token",
+            "text": "Use tiktoken para entender os tamanhos de token para otimizações de token no modo de conversação",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "id": "AOAI.60",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Prática de codificação segura",
+            "text": "Siga práticas de codificação segura para evitar vulnerabilidades comuns, como ataques de injeção, cross-site scripting (XSS) ou configurações incorretas de segurança",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "id": "AOAI.61",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Patches e atualizações",
+            "text": "Configure um processo para atualizar e corrigir regularmente as bibliotecas LLM e outros componentes do sistema",
+            "waf": "Segurança"
+        },
+        {
+            "category": "IA responsável",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "id": "AOAI.62",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Governança",
+            "text": "Aderir aos termos de uso, políticas e diretrizes do Azure OpenAI ou de outros LLMs e casos de uso permitidos",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "id": "AOAI.63",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Familiarização com custos",
+            "text": "Entender a diferença no custo de modelos básicos e modelos ajustados e tamanhos de etapa de token",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "id": "AOAI.64",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Processamento em lote",
+            "text": "Solicitações em lote, sempre que possível, para minimizar a sobrecarga por chamada, o que pode reduzir os custos gerais. Certifique-se de otimizar o tamanho do lote",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "id": "AOAI.65",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Monitoramento de custos",
+            "text": "Configure um sistema de rastreamento de custos que monitore o uso do modelo e use essas informações para ajudar a informar as escolhas do modelo e solicitar tamanhos",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "id": "AOAI.66",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Limite de token",
+            "text": "Defina um limite máximo para o número de tokens por resposta do modelo. Otimize o tamanho para garantir que seja grande o suficiente para uma resposta válida",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "id": "AOAI.67",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Confiabilidade da pesquisa de IA",
+            "text": "Examine as diretrizes fornecidas sobre como configurar a pesquisa de IA para confiabilidade",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "id": "AOAI.68",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Limites de vetor de pesquisa de IA",
+            "text": "Planejar e gerenciar o armazenamento de vetores do AI Search",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "id": "AOAI.69",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "DevOps",
+            "text": "Aplique as práticas do LLMOps para automatizar o gerenciamento do ciclo de vida de seus aplicativos GenAI",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "id": "AOAI.7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Modelo de Custeio",
+            "text": "Avalie o uso de modelos de faturamento - PAYG vs PTU",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "id": "AOAI.70",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "DevOps",
+            "text": "Avaliar a qualidade de prompts e aplicativos ao alternar entre versões de modelo",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "id": "AOAI.71",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Desenvolvimento",
+            "text": "Avalie, monitore e refine seus aplicativos GenAI para recursos como fundamentação, relevância, precisão, coerência, fluência,",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "id": "AOAI.72",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Desenvolvimento",
+            "text": "Avaliar os resultados do Azure AI Search com base em diferentes parâmetros de pesquisa",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "id": "AOAI.73",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Desenvolvimento",
+            "text": "Olhe para os modelos de ajuste fino como forma de aumentar a precisão somente quando você tiver tentado outras abordagens básicas, como engenharia rápida e RAG com seus dados",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "id": "AOAI.74",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Desenvolvimento",
+            "text": "Use técnicas de engenharia rápida para melhorar a precisão das respostas do LLM",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Governança e segurança",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "id": "AOAI.75",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Auditorias de segurança e testes de penetração",
+            "text": "Equipe vermelha de seus aplicativos GenAI",
+            "waf": "Segurança"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "id": "AOAI.76",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Feedback do usuário final",
+            "text": "Forneça aos usuários finais opções de pontuação para respostas LLM e acompanhe essas pontuações. ",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "category": "Otimização de custos",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "id": "AOAI.8",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "subcategory": "Gerenciamento de cotas",
+            "text": "Considere as práticas de gerenciamento de cotas",
+            "waf": "Otimização de custos"
+        },
+        {
+            "category": "Gestão de Operações",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "id": "AOAI.9",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "subcategory": "Balanceamento de carga",
+            "text": "Use soluções de balanceador de carga, como gateway baseado em APIM, para balancear carga e capacidade entre serviços e regiões",
+            "waf": "Excelência Operacional"
+        }
+    ],
+    "metadata": {
+        "name": "Azure OpenAI Review",
+        "state": "Preview",
+        "timestamp": "July 23, 2024",
+        "waf": "all"
+    },
+    "severities": [
+        {
+            "name": "Alto"
+        },
+        {
+            "name": "Média"
+        },
+        {
+            "name": "Baixo"
+        }
+    ],
+    "status": [
+        {
+            "description": "Esta verificação ainda não foi analisada",
+            "name": "Não verificado"
+        },
+        {
+            "description": "Há um item de ação associado a essa verificação",
+            "name": "Abrir"
+        },
+        {
+            "description": "Essa verificação foi verificada e não há mais itens de ação associados a ela",
+            "name": "Cumprido"
+        },
+        {
+            "description": "Recomendação compreendida, mas não necessária pelos requisitos atuais",
+            "name": "Não é necessário"
+        },
+        {
+            "description": "Não aplicável para o projeto atual",
+            "name": "N/A"
+        }
+    ],
+    "waf": [
+        {
+            "name": "Fiabilidade"
+        },
+        {
+            "name": "Segurança"
+        },
+        {
+            "name": "Custar"
+        },
+        {
+            "name": "Operações"
+        },
+        {
+            "name": "Desempenho"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "Sim"
+        },
+        {
+            "name": "Não"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/aoai_checklist.zh-Hant.json b/checklists/aoai_checklist.zh-Hant.json
new file mode 100644
index 000000000..76c04c87f
--- /dev/null
+++ b/checklists/aoai_checklist.zh-Hant.json
@@ -0,0 +1,920 @@
+{
+    "categories": [
+        {
+            "name": "身份和訪問管理"
+        },
+        {
+            "name": "網路拓撲和連接"
+        },
+        {
+            "name": "BC 和DR"
+        },
+        {
+            "name": "治理與安全"
+        },
+        {
+            "name": "成本治理"
+        },
+        {
+            "name": "運營管理"
+        },
+        {
+            "name": "應用程式部署"
+        },
+        {
+            "name": "負責任的 AI"
+        }
+    ],
+    "items": [
+        {
+            "category": "負責任的 AI",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "id": "AOAI.1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "元提示",
+            "text": "遵循 Metaprompting 護欄，實現 realible AI",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "id": "AOAI.10",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "負載均衡",
+            "text": "考慮使用APIM或 AI central 等解決方案的閘道模式，以實現更好的速率限制、負載均衡、身份驗證和日誌記錄",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "id": "AOAI.11",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "監測",
+            "text": "為您的 AOAI 實例啟用監控",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "id": "AOAI.12",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "警報",
+            "text": "建立警報以通知團隊有關事件的通知，例如由對資源執行的操作（例如重新生成其訂閱金閜）創建的活動日誌中的條目或指標閾值（例如一小時內超過 10 的錯誤數）",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "id": "AOAI.13",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "監測",
+            "text": "監控令牌使用方式，防止由於容量導致服務中斷",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "id": "AOAI.14",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "可觀察性",
+            "text": "觀察已處理的推理令牌、生成的完成令牌等指標，監視速率限制",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "id": "AOAI.15",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "subcategory": "可觀察性",
+            "text": "如果診斷對你來說還不夠，請考慮在 Azure OpenAI 前面使用閘道（例如 Azure API 管理）來記錄傳入提示和傳出回應（如果允許）",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "id": "AOAI.16",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "基礎設施部署",
+            "text": "使用基礎結構即代碼部署 Azure OpenAI 服務、模型部署和所有相關資源",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "id": "AOAI.17",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "認證",
+            "text": "將 Microsoft Entra 身份驗證與託管標識（而不是 API 金鑰）配合使用",
+            "waf": "安全"
+        },
+        {
+            "category": "負責任的 AI",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "id": "AOAI.18",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "評估",
+            "text": "使用已知的黃金數據集評估系統的性能/準確性，該數據集具有輸入和正確答案。利用 PromptFlow 中的功能進行評估。",
+            "waf": "卓越的運營執行力"
+        },
+        {
+            "category": "運營管理",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "id": "AOAI.19",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "託管模型",
+            "text": "評估預配輸送量模型的使用方式",
+            "waf": "性能"
+        },
+        {
+            "category": "負責任的 AI",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "id": "AOAI.2",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "內容安全",
+            "text": "查看和實施 Azure AI 內容安全性",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "id": "AOAI.20",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "輸送量定義",
+            "text": "根據令牌數和每分鐘的回應來定義和評估系統的輸送量，並符合要求",
+            "waf": "性能"
+        },
+        {
+            "category": "運營管理",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "id": "AOAI.21",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "延遲改善",
+            "text": "通過限制令牌大小、流式處理選項來改善系統的延遲",
+            "waf": "性能"
+        },
+        {
+            "category": "運營管理",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "id": "AOAI.22",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "彈性分離",
+            "text": "估計彈性需求，以根據優先順序確定同步和批量請求分離。對於高優先順序，使用同步方法，對於低優先順序，首選使用佇列的異步批處理",
+            "waf": "性能"
+        },
+        {
+            "category": "運營管理",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "id": "AOAI.23",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "標杆",
+            "text": "根據消費者的估計需求對代幣消費要求進行基準測試。如果使用的是預設輸送量單元部署，請考慮使用 Azure OpenAI 基準測試工具來幫助驗證輸送量",
+            "waf": "性能"
+        },
+        {
+            "category": "運營管理",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "id": "AOAI.24",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "彈性",
+            "text": "如果您使用的是預設輸送量單位 （PTU），請考慮為溢出請求部署每分鐘令牌 （TPM） 部署。當達到 PTU 限制時，使用閘道將請求路由到 TPM 部署。",
+            "waf": "性能"
+        },
+        {
+            "category": "運營管理",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "id": "AOAI.25",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "型號選擇",
+            "text": "為正確的任務選擇正確的模型。選擇在速度、回應質量和輸出複雜性之間做出正確權衡的模型",
+            "waf": "性能"
+        },
+        {
+            "category": "運營管理",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "id": "AOAI.26",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "微調",
+            "text": "有一個性能基線，而不進行微調，以瞭解微調是否提高了模型性能",
+            "waf": "性能"
+        },
+        {
+            "category": "BC 和DR",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "id": "AOAI.27",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "subcategory": "多區域架構",
+            "text": "跨區域部署多個 OAI 實例",
+            "waf": "可靠性"
+        },
+        {
+            "category": "BC 和DR",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "id": "AOAI.28",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "負載均衡",
+            "text": "使用閘道模式（如 APIM）實現重試和運行狀況檢查",
+            "waf": "可靠性"
+        },
+        {
+            "category": "BC 和DR",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "id": "AOAI.29",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "配額",
+            "text": "確保為工作負載提供足夠的 TPM 和 RPM 配額",
+            "waf": "可靠性"
+        },
+        {
+            "category": "負責任的 AI",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "id": "AOAI.3",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "UX 最佳實踐",
+            "text": "查看 HAI 工具包指南中的注意事項，並將這些交互實踐應用於 slution",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "BC 和DR",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "id": "AOAI.30",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "負載均衡",
+            "text": "如果採用微調，則跨區域部署單獨的微調模型",
+            "waf": "可靠性"
+        },
+        {
+            "category": "BC 和DR",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "id": "AOAI.31",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "數據備份和災難恢復",
+            "text": "定期備份和複製關鍵數據，以確保數據丟失或系統故障時的數據可用性和可恢復性。利用 Azure 的備份和災難恢復服務來保護數據。",
+            "waf": "可靠性"
+        },
+        {
+            "category": "BC 和DR",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "id": "AOAI.32",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "SLA 注意事項",
+            "text": "應選擇 Azure AI 搜索服務層級以具有 SLA",
+            "waf": "可靠性"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "id": "AOAI.33",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "subcategory": "數據敏感度",
+            "text": "對數據和敏感度進行分類，在生成嵌入之前使用 Microsoft Purview 進行標記，並確保以相同的敏感度和分類處理生成的嵌入",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "id": "AOAI.34",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "靜態加密",
+            "text": "使用 SSE/磁碟加密和可選的 BYOK 加密來加密用於 RAG 的數據",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "id": "AOAI.35",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "傳輸加密",
+            "text": "確保對跨數據源傳輸的數據實施 TLS，用於檢索增強生成 （RAG） 和 LLM 通信的 AI 搜索",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "id": "AOAI.36",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "存取控制",
+            "text": "使用 RBAC 管理對 Azure OpenAI 服務的訪問。為使用者分配適當的許可權，並根據其角色和職責限制訪問許可權",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "id": "AOAI.37",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "數據遮罩和編輯",
+            "text": "實施數據加密、遮罩或編輯技術，以在非生產環境中或出於測試或故障排除目的共用數據時隱藏敏感數據或將其替換為混淆值",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "id": "AOAI.38",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "威脅檢測和監控",
+            "text": "利用 Azure Defender 來檢測和回應安全威脅，並設置監視和警報機制來識別可疑活動或違規行為。利用 Azure Sentinel 進行高級威脅檢測和回應",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "id": "AOAI.39",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "數據保留和處置",
+            "text": "制定數據保留和處置策略，以遵守合規性法規。對不再需要的數據實施安全刪除方法，並維護數據保留和處置活動的審計跟蹤",
+            "waf": "安全"
+        },
+        {
+            "category": "負責任的 AI",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "id": "AOAI.4",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "越獄安全",
+            "text": "使用 Content Safety 實施 Prompt shields 和接地檢測",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "id": "AOAI.40",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "數據隱私與合規",
+            "text": "通過實施隱私控制並獲得數據處理活動所需的同意或許可，確保遵守相關的數據保護法規，例如GDPR或HIPAA。",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "id": "AOAI.41",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "員工意識和培訓",
+            "text": "對員工進行有關數據安全最佳實踐、安全處理數據的重要性以及與數據洩露相關的潛在風險的教育。鼓勵他們勤奮地遵循數據安全協定。",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "id": "AOAI.42",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "環境隔離",
+            "text": "將生產數據與開發和測試數據分開。僅在生產中使用真實的敏感數據，並在開發和測試環境中使用匿名或合成數據。",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "id": "AOAI.43",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "索引分離",
+            "text": "如果您具有不同級別的數據敏感度，請考慮為每個級別創建單獨的索引。例如，您可以有一個用於常規數據的索引，另一個用於敏感數據的索引，每個索引都由不同的訪問協定管理",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "id": "AOAI.44",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "不同實例中的敏感數據",
+            "text": "通過將敏感數據集放置在服務的不同實例中，進一步實現隔離。每個實例都可以使用其自己的特定 RBAC 策略集進行控制",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "id": "AOAI.45",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "嵌入和向量處理",
+            "text": "認識到從敏感資訊生成的嵌入和向量本身就是敏感的。這些數據應得到與源材料相同的保護措施",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "id": "AOAI.46",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "存取控制",
+            "text": "將 RBAC 應用於具有嵌入和向量的數據存儲，並根據角色的訪問要求確定存取範圍",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "id": "AOAI.47",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "網路安全",
+            "text": "為 AI 服務配置專用終結點，以限制網路內的服務訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "id": "AOAI.48",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "網路安全",
+            "text": "使用 Azure 防火牆和 UDR 強制實施嚴格的入站和出站流量控制，並限制外部集成點",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "id": "AOAI.49",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "控制網路訪問",
+            "text": "實施網路分段和訪問控制，將 LLM 應用程式的存取限製為僅授權使用者和系統，並防止橫向行動",
+            "waf": "安全"
+        },
+        {
+            "category": "成本優化",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "id": "AOAI.5",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "代幣優化",
+            "text": "使用提示壓縮工具，如 LLMLingua 或 gprtrim",
+            "waf": "成本優化"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "id": "AOAI.50",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "保護 API 和端點",
+            "text": "確保 LLM 應用程式使用的 API 和端點使用身份驗證和授權機制（例如託管標識、API 金鑰或 OAuth）得到適當保護，以防止未經授權的訪問。",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "id": "AOAI.51",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "實施強身份驗證",
+            "text": "實施強大的最終使用者身份驗證機制，例如多因素身份驗證，以防止對 LLM 應用程式和相關網路資源的未經授權的訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "id": "AOAI.52",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "使用網路監控",
+            "text": "實施網路監控工具，以檢測和分析網路流量中的任何可疑或惡意活動。啟用日誌記錄以捕獲網路事件，並在發生安全事件時促進取證分析",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "id": "AOAI.53",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "安全審計和滲透測試",
+            "text": "進行安全審計和滲透測試，以識別和解決LLM應用程式的網路基礎設施中的任何網路安全弱點或漏洞",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "id": "AOAI.54",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "subcategory": "基礎設施部署",
+            "text": "Azure AI 服務已正確標記，以便更好地管理",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "id": "AOAI.55",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "subcategory": "基礎設施部署",
+            "text": "Azure AI 服務帳戶遵循組織命名約定",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "id": "AOAI.56",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "診斷記錄",
+            "text": "應啟用 Azure AI 服務資源中的診斷日誌",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "身份和訪問管理",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "id": "AOAI.57",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "基於 Entra ID 的訪問",
+            "text": "為了安全起見，建議禁用密鑰訪問（本地身份驗證）。 禁用基於密鑰的訪問后，Microsoft Entra ID 將成為唯一的訪問方法，該方法允許保持最小許可權原則和精細控制。",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "id": "AOAI.58",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "安全金鑰管理",
+            "text": "使用 Azure Key Vault 安全地存儲和管理密鑰。避免在 LLM 應用程式的代碼中硬編碼或嵌入敏感密鑰，並使用託管標識從 Azure Key Vault 中安全地檢索它們",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "id": "AOAI.59",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "密鑰輪換和過期",
+            "text": "定期輪換和過期存儲在 Azure Key Vault 中的密鑰，以最大程度地降低未經授權訪問的風險。",
+            "waf": "安全"
+        },
+        {
+            "category": "成本優化",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "id": "AOAI.6",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "代幣優化",
+            "text": "使用 tiktoken 了解對話模式下令牌優化的令牌大小",
+            "waf": "成本優化"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "id": "AOAI.60",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "安全編碼實踐",
+            "text": "遵循安全編碼做法，以防止常見漏洞，例如注入攻擊、跨網站腳本 （XSS） 或安全配置錯誤",
+            "waf": "安全"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "id": "AOAI.61",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "修補和更新",
+            "text": "設置一個流程來定期更新和修補 LLM 庫和其他系統元件",
+            "waf": "安全"
+        },
+        {
+            "category": "負責任的 AI",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "id": "AOAI.62",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "統轄",
+            "text": "遵守 Azure OpenAI 或其他 LLM 的使用條款、策略和指南以及允許的用例",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "成本優化",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "id": "AOAI.63",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "熟悉成本",
+            "text": "了解基礎模型和微調模型的成本差異以及令牌步長",
+            "waf": "成本優化"
+        },
+        {
+            "category": "成本優化",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "id": "AOAI.64",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "批處理",
+            "text": "在可能的情況下，批量請求，以最大程度地減少每次調用的開銷，從而降低總體成本。確保優化批量大小",
+            "waf": "成本優化"
+        },
+        {
+            "category": "成本優化",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "id": "AOAI.65",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "成本監控",
+            "text": "設置成本跟蹤系統，用於監視模型使用方式，並使用該資訊來説明通知模型選擇和提示大小",
+            "waf": "成本優化"
+        },
+        {
+            "category": "成本優化",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "id": "AOAI.66",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "令牌限制",
+            "text": "為每個模型回應的令牌數設置最大限制。優化大小以確保其足夠大以實現有效的回應",
+            "waf": "成本優化"
+        },
+        {
+            "category": "運營管理",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "id": "AOAI.67",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "AI 搜尋可靠性",
+            "text": "查看提供的有關設置 AI 搜索以實現可靠性的指南",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "id": "AOAI.68",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "AI 搜索向量限制",
+            "text": "規劃和管理 AI 搜索向量存儲",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "id": "AOAI.69",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "DevOps的",
+            "text": "應用 LLMOps 實踐來自動化 GenAI 應用程式的生命週期管理",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "成本優化",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "id": "AOAI.7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "成本核算模型",
+            "text": "評估計費模型的使用方式 - PAYG 與 PTU",
+            "waf": "成本優化"
+        },
+        {
+            "category": "運營管理",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "id": "AOAI.70",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "DevOps的",
+            "text": "在模型版本之間切換時評估提示和應用程式的品質",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "id": "AOAI.71",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "發展",
+            "text": "評估、監控和優化您的 GenAI 應用程式的特性，如接地氣、相關性、準確性、連貫性、流暢性、",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "id": "AOAI.72",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "發展",
+            "text": "根據不同的搜索參數評估 Azure AI 搜尋結果",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "id": "AOAI.73",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "發展",
+            "text": "只有在嘗試了其他基本方法（如提示工程和RAG處理數據）時，才將微調模型視為提高準確性的方法",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "運營管理",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "id": "AOAI.74",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "發展",
+            "text": "使用提示工程技術來提高 LLM 回應的準確性",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "治理與安全",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "id": "AOAI.75",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "安全審計和滲透測試",
+            "text": "紅隊您的 GenAI 應用程式",
+            "waf": "安全"
+        },
+        {
+            "category": "運營管理",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "id": "AOAI.76",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "最終用戶反饋",
+            "text": "為最終使用者提供 LLM 回應的評分選項並跟蹤這些分數。",
+            "waf": "卓越運營"
+        },
+        {
+            "category": "成本優化",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "id": "AOAI.8",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "subcategory": "配額管理",
+            "text": "考慮配額管理做法",
+            "waf": "成本優化"
+        },
+        {
+            "category": "運營管理",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "id": "AOAI.9",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "subcategory": "負載均衡",
+            "text": "使用負載均衡器解決方案（如基於APIM的閘道）在服務和區域之間平衡負載和容量",
+            "waf": "卓越運營"
+        }
+    ],
+    "metadata": {
+        "name": "Azure OpenAI Review",
+        "state": "Preview",
+        "timestamp": "July 23, 2024",
+        "waf": "all"
+    },
+    "severities": [
+        {
+            "name": "高"
+        },
+        {
+            "name": "中等"
+        },
+        {
+            "name": "低"
+        }
+    ],
+    "status": [
+        {
+            "description": "此檢查尚未查看",
+            "name": "未驗證"
+        },
+        {
+            "description": "有一個與此檢查關聯的操作項",
+            "name": "打開"
+        },
+        {
+            "description": "此檢查已經過驗證，並且沒有與之關聯的其他操作項",
+            "name": "實現"
+        },
+        {
+            "description": "建議已理解，但當前要求不需要",
+            "name": "不需要"
+        },
+        {
+            "description": "不適用於當前設計",
+            "name": "N/A"
+        }
+    ],
+    "waf": [
+        {
+            "name": "可靠性"
+        },
+        {
+            "name": "安全"
+        },
+        {
+            "name": "成本"
+        },
+        {
+            "name": "操作"
+        },
+        {
+            "name": "性能"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "是的"
+        },
+        {
+            "name": "不"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/checklists/checklist.en.master.json b/checklists/checklist.en.master.json
index 68a07a3bc..fd8cab64c 100644
--- a/checklists/checklist.en.master.json
+++ b/checklists/checklist.en.master.json
@@ -140,8 +140,8 @@
             "guid": "685cb4f2-ac9c-4b19-9167-993ed0b32415",
             "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
             "services": [
-                "Entra",
-                "LoadBalancer"
+                "LoadBalancer",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Enterprise Agreement",
@@ -154,8 +154,8 @@
             "guid": "12cd499f-96e2-4e41-a243-231fb3245a1c",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
-                "Entra",
-                "TrafficManager"
+                "TrafficManager",
+                "Entra"
             ],
             "severity": "Low",
             "subcategory": "Enterprise Agreement",
@@ -183,9 +183,9 @@
             "guid": "5cf9f485-2784-49b3-9824-75d9b8bdb57b",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "services": [
+                "Subscriptions",
                 "Entra",
-                "Cost",
-                "Subscriptions"
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Enterprise Agreement",
@@ -212,8 +212,8 @@
             "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
             "services": [
                 "Entra",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Microsoft Customer Agreement",
@@ -240,8 +240,8 @@
             "guid": "ae757485-92a4-482a-8bc9-eefe6f5b5ec3",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Microsoft Customer Agreement",
@@ -255,9 +255,9 @@
             "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
             "service": "Entra",
             "services": [
-                "ACR",
                 "RBAC",
                 "Subscriptions",
+                "ACR",
                 "Entra"
             ],
             "severity": "High",
@@ -317,8 +317,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
             "service": "Entra",
             "services": [
-                "Entra",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -347,8 +347,8 @@
             "guid": "e6a83de5-de32-4c19-a248-1607d5d1e4e6",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -393,9 +393,9 @@
             "guid": "f5664b5e-984a-4859-a773-e7d261623a76",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
             "services": [
-                "ACR",
                 "RBAC",
                 "Subscriptions",
+                "ACR",
                 "Entra"
             ],
             "severity": "Medium",
@@ -426,8 +426,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
             "service": "Entra",
             "services": [
-                "Entra",
-                "Monitor"
+                "Monitor",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -456,8 +456,8 @@
             "guid": "cd163e39-84a5-4b39-97b7-6973abd70d94",
             "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
             "services": [
-                "Entra",
-                "ASR"
+                "ASR",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Microsoft Entra ID",
@@ -471,8 +471,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
             "service": "Entra",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -516,11 +516,11 @@
             "guid": "d4d1ad54-1abc-4919-b267-3f342d3b49e4",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
             "services": [
-                "AKV",
+                "ACR",
                 "Storage",
+                "Entra",
                 "RBAC",
-                "ACR",
-                "Entra"
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Landing zones",
@@ -589,8 +589,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
             "services": [
                 "RBAC",
-                "AzurePolicy",
-                "Subscriptions"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Subscriptions",
@@ -605,9 +605,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations",
             "services": [
                 "DNS",
-                "VWAN",
+                "Subscriptions",
                 "ExpressRoute",
-                "Subscriptions"
+                "VWAN"
             ],
             "severity": "Medium",
             "subcategory": "Subscriptions",
@@ -663,9 +663,9 @@
             "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
             "services": [
                 "RBAC",
+                "Subscriptions",
                 "AzurePolicy",
-                "Cost",
-                "Subscriptions"
+                "Cost"
             ],
             "severity": "High",
             "subcategory": "Subscriptions",
@@ -691,8 +691,8 @@
             "guid": "c68e1d76-6673-413b-9f56-64b5e984a859",
             "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations",
             "services": [
-                "Cost",
-                "Subscriptions"
+                "Subscriptions",
+                "Cost"
             ],
             "severity": "High",
             "subcategory": "Subscriptions",
@@ -723,8 +723,8 @@
             "guid": "ae28c84c-33b6-4b78-88b9-fe5c41049d40",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/get-started/manage-costs",
             "services": [
-                "Cost",
-                "Subscriptions"
+                "Subscriptions",
+                "Cost"
             ],
             "severity": "High",
             "subcategory": "Subscriptions",
@@ -738,8 +738,8 @@
             "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de",
             "link": "https://learn.microsoft.com/azure/governance/management-groups/overview",
             "services": [
-                "Entra",
-                "Subscriptions"
+                "Subscriptions",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Subscriptions",
@@ -754,8 +754,8 @@
             "guid": "5de32c19-9248-4160-9d5d-1e4e614658d3",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/track-costs",
             "services": [
-                "Cost",
-                "Subscriptions"
+                "Subscriptions",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Subscriptions",
@@ -822,8 +822,8 @@
             "guid": "373f482f-3e39-4d39-8aa4-7e566f6082b6",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery",
             "services": [
-                "FrontDoor",
-                "AppGW"
+                "AppGW",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "App delivery",
@@ -853,12 +853,12 @@
             "service": "VNet",
             "services": [
                 "Firewall",
+                "VPN",
                 "VNet",
                 "NVA",
-                "ExpressRoute",
-                "VPN",
                 "DNS",
-                "Entra"
+                "Entra",
+                "ExpressRoute"
             ],
             "severity": "High",
             "subcategory": "Hub and spoke",
@@ -918,8 +918,8 @@
             "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
             "service": "ARS",
             "services": [
-                "VNet",
-                "ARS"
+                "ARS",
+                "VNet"
             ],
             "severity": "Low",
             "subcategory": "Hub and spoke",
@@ -933,8 +933,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
             "service": "VNet",
             "services": [
-                "VNet",
-                "ACR"
+                "ACR",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hub and spoke",
@@ -965,8 +965,8 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
             "service": "VNet",
             "services": [
-                "VNet",
-                "ExpressRoute"
+                "ExpressRoute",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hub and spoke",
@@ -1040,8 +1040,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
             "service": "ExpressRoute",
             "services": [
-                "VNet",
-                "ACR"
+                "ACR",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "IP plan",
@@ -1088,8 +1088,8 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
             "service": "VNet",
             "services": [
-                "VNet",
-                "ASR"
+                "ASR",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "IP plan",
@@ -1153,8 +1153,8 @@
             "service": "DNS",
             "services": [
                 "DNS",
-                "VNet",
-                "VM"
+                "VM",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "IP plan",
@@ -1184,8 +1184,8 @@
             "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
             "service": "Bastion",
             "services": [
-                "VNet",
-                "Bastion"
+                "Bastion",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -1199,9 +1199,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
             "service": "WAF",
             "services": [
-                "WAF",
                 "ACR",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -1217,10 +1217,10 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "WAF",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "FrontDoor",
-                "AppGW"
+                "WAF",
+                "FrontDoor"
             ],
             "severity": "Low",
             "subcategory": "Internet",
@@ -1235,8 +1235,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "WAF",
             "services": [
-                "VNet",
-                "WAF"
+                "WAF",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Internet",
@@ -1251,8 +1251,8 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
             "service": "VNet",
             "services": [
-                "VNet",
-                "DDoS"
+                "DDoS",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Internet",
@@ -1294,8 +1294,8 @@
             "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
             "service": "Policy",
             "services": [
-                "AzurePolicy",
-                "VM"
+                "VM",
+                "AzurePolicy"
             ],
             "severity": "High",
             "subcategory": "Internet",
@@ -1310,8 +1310,8 @@
             "service": "ExpressRoute",
             "services": [
                 "Backup",
-                "VPN",
-                "ExpressRoute"
+                "ExpressRoute",
+                "VPN"
             ],
             "severity": "Medium",
             "subcategory": "Hybrid",
@@ -1516,8 +1516,8 @@
             "service": "ExpressRoute",
             "services": [
                 "ACR",
-                "NetworkWatcher",
-                "Monitor"
+                "Monitor",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
             "subcategory": "Hybrid",
@@ -1579,8 +1579,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
             "service": "ExpressRoute",
             "services": [
-                "ACR",
-                "ExpressRoute"
+                "ExpressRoute",
+                "ACR"
             ],
             "severity": "High",
             "subcategory": "Hybrid",
@@ -1637,9 +1637,9 @@
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
             "service": "ExpressRoute",
             "services": [
-                "VNet",
                 "ExpressRoute",
-                "Monitor"
+                "Monitor",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hybrid",
@@ -1654,8 +1654,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
             "service": "ExpressRoute",
             "services": [
-                "VNet",
-                "ExpressRoute"
+                "ExpressRoute",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hybrid",
@@ -1700,8 +1700,8 @@
             "service": "Firewall",
             "services": [
                 "Firewall",
-                "RBAC",
                 "ACR",
+                "RBAC",
                 "AzurePolicy"
             ],
             "severity": "Medium",
@@ -1733,8 +1733,8 @@
             "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
             "service": "Firewall",
             "services": [
-                "DNS",
-                "Firewall"
+                "Firewall",
+                "DNS"
             ],
             "severity": "High",
             "subcategory": "Firewall",
@@ -1845,8 +1845,8 @@
             "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
             "service": "Firewall",
             "services": [
-                "VNet",
-                "Firewall"
+                "Firewall",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Segmentation",
@@ -1954,8 +1954,8 @@
             "link": "https://learn.microsoft.com/azure/firewall/dns-details",
             "service": "Firewall",
             "services": [
-                "DNS",
-                "Firewall"
+                "Firewall",
+                "DNS"
             ],
             "severity": "Medium",
             "subcategory": "Firewall",
@@ -2059,10 +2059,10 @@
             "link": "azure/private-link/inspect-traffic-with-azure-firewall",
             "service": "Firewall",
             "services": [
-                "DNS",
+                "PrivateLink",
                 "Firewall",
                 "NVA",
-                "PrivateLink"
+                "DNS"
             ],
             "severity": "Medium",
             "subcategory": "PaaS",
@@ -2078,9 +2078,9 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
             "service": "ExpressRoute",
             "services": [
-                "VNet",
                 "ExpressRoute",
-                "VPN"
+                "VPN",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Segmentation",
@@ -2123,8 +2123,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
             "service": "NSG",
             "services": [
-                "VNet",
-                "ACR"
+                "ACR",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Segmentation",
@@ -2139,9 +2139,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
             "service": "NSG",
             "services": [
+                "NVA",
                 "VNet",
-                "Entra",
-                "NVA"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Segmentation",
@@ -2156,8 +2156,8 @@
             "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
             "service": "NSG",
             "services": [
-                "VNet",
-                "NetworkWatcher"
+                "NetworkWatcher",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Segmentation",
@@ -2219,8 +2219,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
             "service": "VWAN",
             "services": [
-                "VWAN",
-                "Firewall"
+                "Firewall",
+                "VWAN"
             ],
             "severity": "Medium",
             "subcategory": "Virtual WAN",
@@ -2351,8 +2351,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Governance",
@@ -2380,8 +2380,8 @@
             "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
             "service": "Policy",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Low",
             "subcategory": "Governance",
@@ -2410,10 +2410,10 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
             "service": "Policy",
             "services": [
-                "Entra",
                 "RBAC",
+                "Subscriptions",
                 "AzurePolicy",
-                "Subscriptions"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Governance",
@@ -2427,8 +2427,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Governance",
@@ -2457,8 +2457,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
             "service": "Policy",
             "services": [
-                "AzurePolicy",
-                "Subscriptions"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Governance",
@@ -2499,9 +2499,9 @@
             "guid": "29fd366b-a180-452b-9bd7-954b7700c667",
             "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
             "services": [
+                "Monitor",
                 "TrafficManager",
-                "Cost",
-                "Monitor"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Optimize your cloud investment",
@@ -2515,10 +2515,10 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "service": "Monitor",
             "services": [
-                "Entra",
                 "RBAC",
+                "Monitor",
                 "AzurePolicy",
-                "Monitor"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -2534,8 +2534,8 @@
             "service": "Monitor",
             "services": [
                 "ARS",
-                "AzurePolicy",
                 "Monitor",
+                "AzurePolicy",
                 "Storage"
             ],
             "severity": "High",
@@ -2551,9 +2551,9 @@
             "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
             "service": "VM",
             "services": [
+                "Monitor",
                 "AzurePolicy",
-                "VM",
-                "Monitor"
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -2598,8 +2598,8 @@
             "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
             "service": "Network Watcher",
             "services": [
-                "NetworkWatcher",
-                "Monitor"
+                "Monitor",
+                "NetworkWatcher"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -2628,8 +2628,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
                 "RBAC",
-                "AzurePolicy",
-                "Monitor"
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Low",
             "subcategory": "Monitoring",
@@ -2750,8 +2750,8 @@
             "guid": "aa45be6a-8f2d-4896-b0e3-775e6e94e610",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-monitor",
             "services": [
-                "AzurePolicy",
-                "Monitor"
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -2791,8 +2791,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
             "service": "VM",
             "services": [
-                "AzurePolicy",
-                "VM"
+                "VM",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Operational compliance",
@@ -2807,9 +2807,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
             "service": "VM",
             "services": [
+                "Monitor",
                 "AzurePolicy",
-                "VM",
-                "Monitor"
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Operational compliance",
@@ -2823,8 +2823,8 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
             "service": "VM",
             "services": [
-                "ACR",
                 "ASR",
+                "ACR",
                 "VM"
             ],
             "severity": "Medium",
@@ -2866,9 +2866,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
             "service": "WAF",
             "services": [
+                "AppGW",
                 "WAF",
-                "FrontDoor",
-                "AppGW"
+                "FrontDoor"
             ],
             "severity": "High",
             "subcategory": "App delivery",
@@ -2882,10 +2882,10 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
             "service": "WAF",
             "services": [
-                "WAF",
-                "FrontDoor",
                 "AppGW",
-                "Sentinel"
+                "WAF",
+                "Sentinel",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "App delivery",
@@ -2950,8 +2950,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Encryption and keys",
@@ -2965,8 +2965,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "AKV",
                 "RBAC",
+                "AKV",
                 "Entra"
             ],
             "severity": "Medium",
@@ -3009,9 +3009,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "VNet",
+                "PrivateLink",
                 "AKV",
-                "PrivateLink"
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Encryption and keys",
@@ -3025,8 +3025,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
             "service": "Key Vault",
             "services": [
-                "AKV",
                 "Monitor",
+                "AKV",
                 "Entra"
             ],
             "severity": "Medium",
@@ -3041,8 +3041,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Encryption and keys",
@@ -3083,8 +3083,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "ACR",
                 "ASR",
+                "ACR",
                 "AKV"
             ],
             "severity": "Medium",
@@ -3142,8 +3142,8 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
             "service": "Defender",
             "services": [
-                "Subscriptions",
-                "Defender"
+                "Defender",
+                "Subscriptions"
             ],
             "severity": "High",
             "subcategory": "Operations",
@@ -3157,8 +3157,8 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
             "service": "Defender",
             "services": [
-                "Subscriptions",
-                "Defender"
+                "Defender",
+                "Subscriptions"
             ],
             "severity": "High",
             "subcategory": "Operations",
@@ -3172,8 +3172,8 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
             "service": "Defender",
             "services": [
-                "Subscriptions",
-                "Defender"
+                "Defender",
+                "Subscriptions"
             ],
             "severity": "High",
             "subcategory": "Operations",
@@ -3199,8 +3199,8 @@
             "link": "https://learn.microsoft.com/azure/security-center/",
             "service": "VM",
             "services": [
-                "Monitor",
-                "Defender"
+                "Defender",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Operations",
@@ -3214,8 +3214,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "service": "Monitor",
             "services": [
-                "Entra",
-                "Monitor"
+                "Monitor",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Operations",
@@ -3390,8 +3390,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "VM"
+                "VM",
+                "AKV"
             ],
             "severity": "High",
             "subcategory": "DevOps Team Topologies",
@@ -3563,8 +3563,8 @@
             "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29",
             "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757",
             "services": [
-                "ACR",
-                "Backup"
+                "Backup",
+                "ACR"
             ],
             "severity": "Medium",
             "subcategory": "Backup",
@@ -3577,8 +3577,8 @@
             "guid": "769e3969-0e78-428a-a936-657d03b0f466",
             "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581",
             "services": [
-                "Backup",
-                "ASR"
+                "ASR",
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "Backup",
@@ -3774,8 +3774,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -3860,8 +3860,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -3875,8 +3875,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -3890,8 +3890,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Monitor"
+                "Monitor",
+                "AppSvc"
             ],
             "severity": "Low",
             "subcategory": "Monitoring",
@@ -3922,9 +3922,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
             "service": "App Services",
             "services": [
+                "Entra",
                 "AKV",
-                "AppSvc",
-                "Entra"
+                "AppSvc"
             ],
             "severity": "High",
             "subcategory": "Data Protection",
@@ -3955,8 +3955,8 @@
             "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Subscriptions"
+                "Subscriptions",
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Data Protection",
@@ -4036,8 +4036,8 @@
             "service": "App Services",
             "services": [
                 "Entra",
-                "AppSvc",
-                "AKV"
+                "AKV",
+                "AppSvc"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Control",
@@ -4052,9 +4052,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
             "service": "App Services",
             "services": [
+                "ACR",
                 "Entra",
-                "AppSvc",
-                "ACR"
+                "AppSvc"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Control",
@@ -4069,9 +4069,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
             "service": "App Services",
             "services": [
+                "Monitor",
                 "Entra",
-                "AppSvc",
-                "Monitor"
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Logging and Monitoring",
@@ -4086,9 +4086,9 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "service": "App Services",
             "services": [
+                "Monitor",
                 "Entra",
-                "AppSvc",
-                "Monitor"
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Logging and Monitoring",
@@ -4104,10 +4104,10 @@
             "service": "App Services",
             "services": [
                 "Firewall",
-                "Monitor",
                 "VNet",
                 "NVA",
-                "AppSvc"
+                "AppSvc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Network Security",
@@ -4122,12 +4122,12 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
             "service": "App Services",
             "services": [
-                "PrivateLink",
                 "Firewall",
                 "VNet",
+                "PrivateLink",
                 "NVA",
-                "Storage",
-                "AppSvc"
+                "AppSvc",
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "Network Security",
@@ -4158,10 +4158,10 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
             "service": "App Services",
             "services": [
-                "WAF",
+                "AppSvc",
                 "Monitor",
                 "AppGW",
-                "AppSvc",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -4177,9 +4177,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
             "service": "App Services",
             "services": [
+                "PrivateLink",
                 "WAF",
-                "AppSvc",
-                "PrivateLink"
+                "AppSvc"
             ],
             "severity": "High",
             "subcategory": "Network Security",
@@ -4228,8 +4228,8 @@
             "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Storage"
+                "Storage",
+                "AppSvc"
             ],
             "severity": "High",
             "subcategory": "Network Security",
@@ -4260,8 +4260,8 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
             "service": "App Services",
             "services": [
-                "AppSvc",
-                "Defender"
+                "Defender",
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Network Security",
@@ -4276,13 +4276,13 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "App Services",
             "services": [
-                "EventHubs",
-                "WAF",
-                "AppGW",
-                "VNet",
                 "DDoS",
+                "VNet",
+                "EventHubs",
                 "NVA",
-                "AppSvc"
+                "AppSvc",
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "Network Security",
@@ -4297,10 +4297,10 @@
             "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
             "service": "App Services",
             "services": [
-                "VNet",
+                "PrivateLink",
                 "ACR",
-                "AppSvc",
-                "PrivateLink"
+                "VNet",
+                "AppSvc"
             ],
             "severity": "Medium",
             "subcategory": "Network Security",
@@ -4358,9 +4358,9 @@
             "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
             "service": "AVS",
             "services": [
-                "Entra",
                 "Subscriptions",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -4373,8 +4373,8 @@
             "guid": "75089c20-990d-4927-b105-885576f76fc2",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -4387,8 +4387,8 @@
             "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -4401,8 +4401,8 @@
             "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -4415,8 +4415,8 @@
             "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -4429,8 +4429,8 @@
             "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -4443,9 +4443,9 @@
             "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -4458,9 +4458,9 @@
             "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -4473,9 +4473,9 @@
             "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -4488,9 +4488,9 @@
             "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -4517,10 +4517,10 @@
             "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
             "service": "AVS",
             "services": [
-                "Monitor",
                 "NetworkWatcher",
-                "ExpressRoute",
                 "VPN",
+                "Monitor",
+                "ExpressRoute",
                 "AVS"
             ],
             "severity": "High",
@@ -4534,10 +4534,10 @@
             "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
             "service": "AVS",
             "services": [
-                "Monitor",
-                "NetworkWatcher",
                 "ExpressRoute",
+                "Monitor",
                 "VM",
+                "NetworkWatcher",
                 "AVS"
             ],
             "severity": "Medium",
@@ -4551,10 +4551,10 @@
             "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
             "service": "AVS",
             "services": [
-                "NetworkWatcher",
-                "VM",
                 "Monitor",
-                "AVS"
+                "NetworkWatcher",
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -4581,9 +4581,9 @@
             "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Security (identity)",
@@ -4596,9 +4596,9 @@
             "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Security (identity)",
@@ -4611,8 +4611,8 @@
             "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security (identity)",
@@ -4625,8 +4625,8 @@
             "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Security (identity)",
@@ -4639,9 +4639,9 @@
             "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
             "service": "AVS",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security (identity)",
@@ -4654,8 +4654,8 @@
             "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
             "service": "AVS",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security (identity)",
@@ -4668,9 +4668,9 @@
             "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
             "service": "AVS",
             "services": [
-                "Entra",
                 "VM",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Security (identity)",
@@ -4697,8 +4697,8 @@
             "service": "AVS",
             "services": [
                 "Firewall",
-                "AppGW",
-                "AVS"
+                "AVS",
+                "AppGW"
             ],
             "severity": "High",
             "subcategory": "Security (network)",
@@ -4738,10 +4738,10 @@
             "guid": "334fdf91-c234-4182-a652-75269440b4be",
             "service": "AVS",
             "services": [
-                "VNet",
+                "VPN",
                 "DDoS",
+                "VNet",
                 "ExpressRoute",
-                "VPN",
                 "AVS"
             ],
             "severity": "Medium",
@@ -4810,8 +4810,8 @@
             "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
             "service": "AVS",
             "services": [
-                "AKV",
-                "AVS"
+                "AVS",
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Security (guest/VM)",
@@ -4850,9 +4850,9 @@
             "guid": "d88408f3-7273-44c8-96ba-280214590146",
             "service": "AVS",
             "services": [
+                "AVS",
                 "AzurePolicy",
-                "Storage",
-                "AVS"
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Governance (platform)",
@@ -4892,8 +4892,8 @@
             "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
             "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Governance (platform)",
@@ -4906,8 +4906,8 @@
             "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
             "service": "AVS",
             "services": [
-                "Cost",
-                "AVS"
+                "AVS",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Governance (platform)",
@@ -4920,8 +4920,8 @@
             "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
             "service": "AVS",
             "services": [
-                "Cost",
-                "AVS"
+                "AVS",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Governance (platform)",
@@ -4960,8 +4960,8 @@
             "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
             "service": "AVS",
             "services": [
-                "VM",
                 "Defender",
+                "VM",
                 "AVS"
             ],
             "severity": "Medium",
@@ -4975,8 +4975,8 @@
             "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
             "service": "AVS",
             "services": [
-                "VM",
                 "Arc",
+                "VM",
                 "AVS"
             ],
             "severity": "Medium",
@@ -5003,9 +5003,9 @@
             "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
             "service": "AVS",
             "services": [
-                "VM",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Governance (guest/VM)",
@@ -5019,9 +5019,9 @@
             "service": "AVS",
             "services": [
                 "Backup",
-                "AzurePolicy",
                 "VM",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Governance (guest/VM)",
@@ -5159,8 +5159,8 @@
             "service": "AVS",
             "services": [
                 "Monitor",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -5187,10 +5187,10 @@
             "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
             "service": "AVS",
             "services": [
-                "AzurePolicy",
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "AzurePolicy",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Operations",
@@ -5217,8 +5217,8 @@
             "service": "AVS",
             "services": [
                 "Backup",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Operations",
@@ -5272,9 +5272,9 @@
             "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
             "service": "AVS",
             "services": [
-                "AzurePolicy",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Operations",
@@ -5386,9 +5386,9 @@
             "service": "AVS",
             "services": [
                 "ExpressRoute",
-                "ASR",
                 "NVA",
-                "AVS"
+                "AVS",
+                "ASR"
             ],
             "severity": "Medium",
             "subcategory": "Disaster Recovery",
@@ -5508,8 +5508,8 @@
             "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
             "service": "AVS",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Low",
             "subcategory": "Automated Deployment",
@@ -5522,8 +5522,8 @@
             "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
             "service": "AVS",
             "services": [
-                "AKV",
-                "AVS"
+                "AVS",
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Automated Connectivity",
@@ -5536,9 +5536,9 @@
             "guid": "255461e2-aee3-4553-afc8-339248b262d6",
             "service": "AVS",
             "services": [
-                "AKV",
                 "ExpressRoute",
-                "AVS"
+                "AVS",
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Automated Connectivity",
@@ -5591,9 +5591,9 @@
             "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
             "service": "AVS",
             "services": [
+                "AVS",
                 "AzurePolicy",
-                "Storage",
-                "AVS"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Automated Scale",
@@ -5732,8 +5732,8 @@
             "service": "AVS",
             "services": [
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Architecture",
@@ -5748,8 +5748,8 @@
             "service": "AVS",
             "services": [
                 "ExpressRoute",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Architecture",
@@ -5764,8 +5764,8 @@
             "service": "AVS",
             "services": [
                 "ExpressRoute",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Architecture",
@@ -5976,8 +5976,8 @@
             "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
             "service": "Cognitive Search",
             "services": [
-                "Backup",
                 "ASR",
+                "Backup",
                 "Storage"
             ],
             "severity": "High",
@@ -6074,8 +6074,8 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
             "service": "Azure Data Explorer",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "subcategory": "Replication",
             "text": "Leverage External Tables and Continuous data export overview to reduce costs",
@@ -6182,10 +6182,10 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
             "service": "Azure Data Explorer",
             "services": [
-                "Cost",
                 "ASR",
                 "AzurePolicy",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "subcategory": "DR Configuration",
             "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
@@ -6238,8 +6238,8 @@
             "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
             "services": [
                 "Backup",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Backup",
@@ -6268,8 +6268,8 @@
             "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae",
             "link": "Best practice to deploy backup in the same region as your AVS deployment",
             "services": [
-                "Backup",
                 "ASR",
+                "Backup",
                 "AVS"
             ],
             "severity": "Medium",
@@ -6387,8 +6387,8 @@
             "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c",
             "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.",
             "services": [
-                "ExpressRoute",
                 "ASR",
+                "ExpressRoute",
                 "NVA",
                 "AVS"
             ],
@@ -6479,8 +6479,8 @@
             "guid": "91f7a87b-21ac-d712-959c-8df2ba034253",
             "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal",
             "services": [
-                "VNet",
-                "AVS"
+                "AVS",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hub & Spoke",
@@ -6494,10 +6494,10 @@
             "guid": "58a027e2-f37f-b540-45d5-e44843aba26b",
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
             "services": [
-                "VNet",
-                "ExpressRoute",
                 "VPN",
-                "AVS"
+                "ExpressRoute",
+                "AVS",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hub & Spoke",
@@ -6511,10 +6511,10 @@
             "guid": "d4806549-0913-3e79-b580-ac2d3706e65a",
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
             "services": [
-                "VNet",
-                "ExpressRoute",
                 "VPN",
-                "AVS"
+                "ExpressRoute",
+                "AVS",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hub & Spoke",
@@ -6528,10 +6528,10 @@
             "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2",
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
             "services": [
-                "VNet",
-                "ExpressRoute",
                 "VPN",
-                "AVS"
+                "ExpressRoute",
+                "AVS",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hub & Spoke",
@@ -6560,8 +6560,8 @@
             "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f",
             "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
             "services": [
-                "Bastion",
-                "AVS"
+                "AVS",
+                "Bastion"
             ],
             "severity": "Medium",
             "subcategory": "Jumpbox & Bastion",
@@ -6576,8 +6576,8 @@
             "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal",
             "services": [
                 "VNet",
-                "Bastion",
-                "AVS"
+                "AVS",
+                "Bastion"
             ],
             "severity": "Medium",
             "subcategory": "Jumpbox & Bastion",
@@ -6591,9 +6591,9 @@
             "guid": "ba430d58-4541-085c-3641-068c00be9bc5",
             "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
             "services": [
-                "Bastion",
                 "VM",
-                "AVS"
+                "AVS",
+                "Bastion"
             ],
             "severity": "Medium",
             "subcategory": "Jumpbox & Bastion",
@@ -6667,8 +6667,8 @@
             "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076",
             "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal",
             "services": [
-                "VWAN",
                 "VPN",
+                "VWAN",
                 "AVS"
             ],
             "severity": "Medium",
@@ -6683,8 +6683,8 @@
             "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b",
             "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal",
             "services": [
-                "VWAN",
                 "Firewall",
+                "VWAN",
                 "AVS"
             ],
             "severity": "Medium",
@@ -6699,8 +6699,8 @@
             "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3",
             "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Access",
@@ -6714,8 +6714,8 @@
             "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997",
             "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Access",
@@ -6729,8 +6729,8 @@
             "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1",
             "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Access",
@@ -6744,8 +6744,8 @@
             "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635",
             "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Access",
@@ -6759,8 +6759,8 @@
             "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c",
             "link": "https://youtu.be/4jvfbsrhnEs",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -6774,9 +6774,9 @@
             "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73",
             "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -6790,9 +6790,9 @@
             "guid": "b04ca129-83a9-3494-7512-347dd2d766db",
             "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -6806,9 +6806,9 @@
             "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb",
             "link": "Best practice",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -6822,9 +6822,9 @@
             "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63",
             "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security ",
@@ -6838,9 +6838,9 @@
             "guid": "0842d45f-41a8-8274-1155-2f6ed554d315",
             "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "services": [
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security ",
@@ -6854,9 +6854,9 @@
             "guid": "915cbcd7-0640-eb7c-4162-9f33775de559",
             "link": "Best practice",
             "services": [
-                "Entra",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security ",
@@ -6870,8 +6870,8 @@
             "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a",
             "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal",
             "services": [
-                "Entra",
-                "AVS"
+                "AVS",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security ",
@@ -6885,8 +6885,8 @@
             "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82",
             "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview",
             "services": [
-                "VM",
                 "Arc",
+                "VM",
                 "AVS"
             ],
             "severity": "Medium",
@@ -6901,9 +6901,9 @@
             "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0",
             "link": "https://docs.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "AzurePolicy",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Operations",
@@ -6945,8 +6945,8 @@
             "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030",
             "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
             "services": [
-                "AKV",
-                "AVS"
+                "AVS",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Operations",
@@ -7005,9 +7005,9 @@
             "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509",
             "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
             "services": [
-                "Monitor",
                 "Backup",
                 "AzurePolicy",
+                "Monitor",
                 "VM",
                 "AVS"
             ],
@@ -7023,9 +7023,9 @@
             "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6",
             "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
             "services": [
-                "AzurePolicy",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Capacity",
@@ -7040,9 +7040,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern",
             "services": [
                 "Subscriptions",
-                "Cost",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Costs",
@@ -7056,8 +7056,8 @@
             "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74",
             "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards",
             "services": [
-                "NetworkWatcher",
                 "Monitor",
+                "NetworkWatcher",
                 "AVS"
             ],
             "severity": "Medium",
@@ -7073,8 +7073,8 @@
             "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
             "services": [
                 "Monitor",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Logs & Metrics",
@@ -7103,8 +7103,8 @@
             "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2",
             "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
             "services": [
-                "VM",
                 "Monitor",
+                "VM",
                 "AVS"
             ],
             "severity": "Medium",
@@ -7119,10 +7119,10 @@
             "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3",
             "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
             "services": [
-                "Monitor",
                 "NetworkWatcher",
-                "ExpressRoute",
                 "VPN",
+                "Monitor",
+                "ExpressRoute",
                 "AVS"
             ],
             "severity": "Medium",
@@ -7213,9 +7213,9 @@
             "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a",
             "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard",
             "services": [
-                "VM",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "VMware",
@@ -7302,10 +7302,10 @@
             "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937",
             "link": "Research and choose optimal solution for each application",
             "services": [
-                "FrontDoor",
                 "NVA",
+                "AVS",
                 "AppGW",
-                "AVS"
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -7334,15 +7334,15 @@
             "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a",
             "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection",
             "services": [
-                "AppGW",
-                "VNet",
+                "VPN",
                 "DDoS",
-                "ExpressRoute",
+                "VNet",
+                "LoadBalancer",
                 "VM",
-                "FrontDoor",
-                "VPN",
+                "AppGW",
+                "ExpressRoute",
                 "AVS",
-                "LoadBalancer"
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -7384,8 +7384,8 @@
             "guid": "3f621543-dfac-c471-54a6-7b2849b6909a",
             "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
             "services": [
-                "VWAN",
                 "Firewall",
+                "VWAN",
                 "AVS"
             ],
             "severity": "Medium",
@@ -7430,9 +7430,9 @@
             "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece",
             "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
             "services": [
+                "AVS",
                 "AzurePolicy",
-                "Storage",
-                "AVS"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Automated Scale",
@@ -7546,8 +7546,8 @@
             "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b",
             "link": "Internal policy or regulatory compliance",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Pre-deployment",
@@ -7661,8 +7661,8 @@
             "guid": "0c87f999-e517-21ef-f355-f210ad4134d2",
             "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html",
             "services": [
-                "VNet",
-                "AVS"
+                "AVS",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Pre-deployment",
@@ -7704,8 +7704,8 @@
             "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f",
             "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20",
             "services": [
-                "Cost",
-                "AVS"
+                "AVS",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Pre-deployment",
@@ -7762,8 +7762,8 @@
             "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646",
             "link": "General recommendation for storing encryption keys.",
             "services": [
-                "AKV",
-                "AVS"
+                "AVS",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Encryption",
@@ -7792,9 +7792,9 @@
             "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e",
             "link": "https://docs.microsoft.com/azure/key-vault/general/authentication",
             "services": [
-                "AKV",
                 "ExpressRoute",
-                "AVS"
+                "AVS",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Encryption",
@@ -7822,8 +7822,8 @@
             "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a",
             "link": "https://learn.microsoft.com/azure/sentinel/overview",
             "services": [
-                "Sentinel",
-                "AVS"
+                "AVS",
+                "Sentinel"
             ],
             "severity": "Medium",
             "subcategory": "Investigation",
@@ -7852,8 +7852,8 @@
             "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b",
             "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration",
             "services": [
-                "AzurePolicy",
-                "AVS"
+                "AVS",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -8007,8 +8007,8 @@
             "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7",
             "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html",
             "services": [
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8023,8 +8023,8 @@
             "link": "3rd-Party tools",
             "services": [
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8039,8 +8039,8 @@
             "link": "Contact VMware",
             "services": [
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8054,8 +8054,8 @@
             "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266",
             "link": "Contact VMware",
             "services": [
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8069,8 +8069,8 @@
             "guid": "ab6c89cd-a26f-b894-fe59-61863975458e",
             "link": "Contact VMware",
             "services": [
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8084,10 +8084,10 @@
             "guid": "7628d446-6b10-9678-9cec-f407d990de43",
             "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
             "services": [
-                "AzurePolicy",
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "AzurePolicy",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8101,10 +8101,10 @@
             "guid": "37fef358-7ab9-43a9-542c-22673955200e",
             "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy",
             "services": [
-                "AzurePolicy",
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "AzurePolicy",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8118,9 +8118,9 @@
             "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7",
             "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
             "services": [
+                "AVS",
                 "AzurePolicy",
-                "Storage",
-                "AVS"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8134,8 +8134,8 @@
             "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863",
             "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution",
             "services": [
-                "Storage",
-                "AVS"
+                "AVS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -8149,8 +8149,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "Backup"
+                "Backup",
+                "AKV"
             ],
             "severity": "High",
             "subcategory": "Deployment best practices",
@@ -8164,8 +8164,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "ACR"
+                "ACR",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "High Availability",
@@ -8193,8 +8193,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "High Availability",
@@ -8208,11 +8208,11 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
             "service": "Key Vault",
             "services": [
-                "AKV",
                 "Subscriptions",
-                "Storage",
                 "Backup",
-                "ASR"
+                "Storage",
+                "ASR",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Business continuity and disaster recovery",
@@ -8226,8 +8226,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "ASR"
+                "ASR",
+                "AKV"
             ],
             "severity": "High",
             "subcategory": "Business continuity and disaster recovery",
@@ -8241,8 +8241,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
             "service": "Key Vault",
             "services": [
-                "AKV",
-                "ASR"
+                "ASR",
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Business continuity and disaster recovery",
@@ -8256,9 +8256,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
             "service": "Key Vault",
             "services": [
-                "AKV",
+                "ASR",
                 "Backup",
-                "ASR"
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Business continuity and disaster recovery",
@@ -8272,9 +8272,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
             "service": "Key Vault",
             "services": [
-                "AKV",
+                "ASR",
                 "Backup",
-                "ASR"
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Business continuity and disaster recovery",
@@ -8288,9 +8288,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
             "service": "Key Vault",
             "services": [
+                "ASR",
                 "EventHubs",
-                "AKV",
-                "ASR"
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Business continuity and disaster recovery",
@@ -8535,8 +8535,8 @@
             "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
             "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation",
             "services": [
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Cost Optimization",
@@ -8743,9 +8743,9 @@
             "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5",
             "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json",
             "services": [
+                "ASR",
                 "DNS",
-                "TrafficManager",
-                "ASR"
+                "TrafficManager"
             ],
             "severity": "Medium",
             "subcategory": "Azure DNS",
@@ -8771,8 +8771,8 @@
             "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517",
             "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
             "services": [
-                "DNS",
-                "ASR"
+                "ASR",
+                "DNS"
             ],
             "severity": "Medium",
             "subcategory": "Azure DNS Resolver",
@@ -8800,8 +8800,8 @@
             "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html",
             "services": [
                 "DNS",
-                "Entra",
-                "VM"
+                "VM",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "VM Based DNS Service",
@@ -8888,8 +8888,8 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
             "service": "App Gateway",
             "services": [
-                "VNet",
-                "AppGW"
+                "AppGW",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -8905,12 +8905,12 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW",
                 "VNet",
-                "NVA",
                 "Subscriptions",
-                "Entra"
+                "NVA",
+                "AppGW",
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -8971,8 +8971,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -8988,10 +8988,10 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "Front Door",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "FrontDoor",
-                "AppGW"
+                "WAF",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "App delivery",
@@ -9055,8 +9055,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -9164,9 +9164,9 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
             "service": "Front Door",
             "services": [
+                "FrontDoor",
                 "AKV",
-                "Cost",
-                "FrontDoor"
+                "Cost"
             ],
             "severity": "High",
             "subcategory": "Front Door",
@@ -9257,8 +9257,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -9381,8 +9381,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "High",
             "subcategory": "App Gateway",
@@ -9397,9 +9397,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
             "service": "App Gateway",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "AppGW"
+                "WAF"
             ],
             "severity": "High",
             "subcategory": "App Gateway",
@@ -9414,8 +9414,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "High",
             "subcategory": "App Gateway",
@@ -9431,9 +9431,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
             "service": "App Gateway",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "AppGW"
+                "WAF"
             ],
             "severity": "High",
             "subcategory": "App Gateway",
@@ -9447,8 +9447,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9462,8 +9462,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9489,8 +9489,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9504,8 +9504,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9519,8 +9519,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9549,8 +9549,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
             "service": "App Gateway",
             "services": [
-                "WAF",
                 "AppGW",
+                "WAF",
                 "Sentinel"
             ],
             "severity": "Medium",
@@ -9566,8 +9566,8 @@
             "service": "Front Door",
             "services": [
                 "WAF",
-                "FrontDoor",
-                "Sentinel"
+                "Sentinel",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "Front Door",
@@ -9581,8 +9581,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9596,8 +9596,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "subcategory": "App Gateway",
@@ -9611,8 +9611,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
             "service": "App Gateway",
             "services": [
-                "VPN",
                 "ExpressRoute",
+                "VPN",
                 "AppGW",
                 "VNet"
             ],
@@ -9850,8 +9850,8 @@
             "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
             "service": "Windows AD",
             "services": [
-                "Entra",
-                "VM"
+                "VM",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Windows Server AD",
@@ -9934,8 +9934,8 @@
             "guid": "338ee253-c17d-432e-aaaa-b7571549ab81",
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones",
             "services": [
-                "ServiceBus",
-                "ACR"
+                "ACR",
+                "ServiceBus"
             ],
             "severity": "High",
             "subcategory": "Best Practices",
@@ -9949,9 +9949,9 @@
             "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3",
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery",
             "services": [
-                "ServiceBus",
                 "ASR",
-                "Storage"
+                "Storage",
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Geo-Disaster Recovery",
@@ -9965,9 +9965,9 @@
             "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1",
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview",
             "services": [
-                "ServiceBus",
                 "ASR",
-                "ACR"
+                "ACR",
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Geo-Disaster Recovery",
@@ -9981,8 +9981,8 @@
             "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6",
             "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus",
             "services": [
-                "ServiceBus",
-                "Storage"
+                "Storage",
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Best Practices",
@@ -10022,8 +10022,8 @@
             "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
                 "PrivateLink",
-                "ServiceBus",
-                "Storage"
+                "Storage",
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Best Practices",
@@ -10062,9 +10062,9 @@
             "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f",
             "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
             "services": [
-                "ServiceBus",
                 "ASR",
-                "Storage"
+                "Storage",
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Best Practices",
@@ -10176,11 +10176,11 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
             "service": "Service Bus",
             "services": [
+                "TrafficManager",
                 "ServiceBus",
-                "RBAC",
                 "AzurePolicy",
                 "Entra",
-                "TrafficManager"
+                "RBAC"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -10197,11 +10197,11 @@
             "service": "Service Bus",
             "services": [
                 "ServiceBus",
-                "AKV",
-                "Storage",
-                "VM",
                 "AppSvc",
-                "Entra"
+                "VM",
+                "Storage",
+                "Entra",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -10220,8 +10220,8 @@
                 "ServiceBus",
                 "Subscriptions",
                 "Storage",
-                "RBAC",
-                "Entra"
+                "Entra",
+                "RBAC"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -10237,9 +10237,9 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
             "service": "Service Bus",
             "services": [
+                "Monitor",
                 "VNet",
-                "ServiceBus",
-                "Monitor"
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -10256,8 +10256,8 @@
             "service": "Service Bus",
             "services": [
                 "PrivateLink",
-                "ServiceBus",
-                "VNet"
+                "VNet",
+                "ServiceBus"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -10350,9 +10350,9 @@
             "guid": "676f6951-0368-49e9-808d-c33a692c9a64",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data",
             "services": [
-                "AKV",
+                "SQL",
                 "Backup",
-                "SQL"
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Azure Key Vault",
@@ -10366,9 +10366,9 @@
             "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups",
             "services": [
+                "SQL",
                 "Backup",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Backup",
@@ -10382,9 +10382,9 @@
             "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy",
             "services": [
+                "SQL",
                 "Backup",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "Backup",
@@ -10440,9 +10440,9 @@
             "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
             "services": [
+                "SQL",
                 "EventHubs",
-                "Defender",
-                "SQL"
+                "Defender"
             ],
             "severity": "High",
             "subcategory": "Advanced Threat Protection",
@@ -10456,9 +10456,9 @@
             "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ",
             "services": [
+                "SQL",
                 "Subscriptions",
-                "Defender",
-                "SQL"
+                "Defender"
             ],
             "severity": "High",
             "subcategory": "Defender for Azure SQL",
@@ -10472,9 +10472,9 @@
             "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
             "services": [
-                "Defender",
+                "SQL",
                 "Monitor",
-                "SQL"
+                "Defender"
             ],
             "severity": "High",
             "subcategory": "Defender for Azure SQL",
@@ -10488,9 +10488,9 @@
             "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
             "services": [
+                "SQL",
                 "Monitor",
-                "Defender",
-                "SQL"
+                "Defender"
             ],
             "severity": "High",
             "subcategory": "Vulnerability Assessment",
@@ -10504,8 +10504,8 @@
             "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql",
             "services": [
-                "Defender",
-                "SQL"
+                "SQL",
+                "Defender"
             ],
             "severity": "High",
             "subcategory": "Vulnerability Assessment",
@@ -10533,9 +10533,9 @@
             "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption",
             "services": [
+                "SQL",
                 "AKV",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "Column Encryption",
@@ -10549,9 +10549,9 @@
             "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
             "services": [
+                "SQL",
                 "Backup",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Transparent Data Encryption",
@@ -10565,8 +10565,8 @@
             "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview",
             "services": [
-                "AKV",
-                "SQL"
+                "SQL",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Transparent Data Encryption",
@@ -10594,8 +10594,8 @@
             "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview",
             "services": [
-                "Entra",
-                "SQL"
+                "SQL",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Azure Active Directory",
@@ -10609,9 +10609,9 @@
             "guid": "29820254-1d14-4778-ae90-ff4aeba504a3",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities",
             "services": [
-                "Entra",
+                "SQL",
                 "Monitor",
-                "SQL"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Azure Active Directory",
@@ -10625,8 +10625,8 @@
             "guid": "df3a09ee-03bb-4198-8637-d141acf5f289",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications",
             "services": [
-                "Entra",
-                "SQL"
+                "SQL",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Azure Active Directory",
@@ -10640,11 +10640,11 @@
             "guid": "69891194-5074-4e30-8f69-4efc3c580900",
             "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
             "services": [
-                "AKV",
                 "SQL",
                 "ACR",
+                "Entra",
                 "RBAC",
-                "Entra"
+                "AKV"
             ],
             "severity": "Low",
             "subcategory": "Managed Identities",
@@ -10658,8 +10658,8 @@
             "guid": "88287d4a-8bb8-4640-ad78-03f51354d003",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication",
             "services": [
-                "Entra",
-                "SQL"
+                "SQL",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Passwords",
@@ -10673,8 +10673,8 @@
             "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc",
             "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Database Digest",
@@ -10688,9 +10688,9 @@
             "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a",
             "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management",
             "services": [
+                "SQL",
                 "AzurePolicy",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Database Digest",
@@ -10704,8 +10704,8 @@
             "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420",
             "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Integrity",
@@ -10747,9 +10747,9 @@
             "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
             "services": [
+                "SQL",
                 "AzurePolicy",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Auditing",
@@ -10763,11 +10763,11 @@
             "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
             "services": [
+                "SQL",
                 "EventHubs",
+                "Backup",
                 "Monitor",
                 "Storage",
-                "SQL",
-                "Backup",
                 "Entra"
             ],
             "severity": "Low",
@@ -10782,11 +10782,11 @@
             "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
             "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "services": [
+                "SQL",
                 "EventHubs",
-                "Monitor",
                 "Subscriptions",
-                "Storage",
-                "SQL"
+                "Monitor",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Auditing",
@@ -10800,8 +10800,8 @@
             "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
             "services": [
-                "Monitor",
-                "SQL"
+                "SQL",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "SIEM/SOAR",
@@ -10815,8 +10815,8 @@
             "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
             "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "services": [
-                "Monitor",
-                "SQL"
+                "SQL",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "SIEM/SOAR",
@@ -10830,8 +10830,8 @@
             "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754",
             "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "services": [
-                "EventHubs",
-                "SQL"
+                "SQL",
+                "EventHubs"
             ],
             "severity": "Medium",
             "subcategory": "SIEM/SOAR",
@@ -10861,8 +10861,8 @@
             "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture",
             "services": [
                 "PrivateLink",
-                "AzurePolicy",
-                "SQL"
+                "SQL",
+                "AzurePolicy"
             ],
             "severity": "Low",
             "subcategory": "Connectivity",
@@ -10876,8 +10876,8 @@
             "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
             "services": [
-                "Subscriptions",
-                "SQL"
+                "SQL",
+                "Subscriptions"
             ],
             "severity": "High",
             "subcategory": "Connectivity",
@@ -10891,9 +10891,9 @@
             "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e",
             "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql",
             "services": [
-                "EventHubs",
                 "APIM",
-                "SQL"
+                "SQL",
+                "EventHubs"
             ],
             "severity": "Medium",
             "subcategory": "Outbound Control",
@@ -10907,8 +10907,8 @@
             "guid": "a566dd3d-314e-4a94-9378-102c42d82b38",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Outbound Control",
@@ -10922,11 +10922,11 @@
             "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
             "services": [
-                "PrivateLink",
                 "Firewall",
-                "Monitor",
                 "VNet",
-                "SQL"
+                "PrivateLink",
+                "SQL",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Private Access",
@@ -10941,8 +10941,8 @@
             "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
             "services": [
                 "PrivateLink",
-                "VNet",
-                "SQL"
+                "SQL",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Private Access",
@@ -10956,9 +10956,9 @@
             "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2",
             "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints",
             "services": [
-                "VNet",
                 "PrivateLink",
-                "SQL"
+                "SQL",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Private Access",
@@ -10972,9 +10972,9 @@
             "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview",
             "services": [
-                "VNet",
+                "SQL",
                 "ExpressRoute",
-                "SQL"
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Private Access",
@@ -10988,9 +10988,9 @@
             "guid": "55187443-6852-4fbd-99c6-ce303597ca7f",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules",
             "services": [
-                "VNet",
+                "SQL",
                 "AzurePolicy",
-                "SQL"
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Public Access",
@@ -11004,8 +11004,8 @@
             "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Public Access",
@@ -11019,8 +11019,8 @@
             "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "Public Access",
@@ -11034,9 +11034,9 @@
             "guid": "b8435656-143e-41a8-9922-61d34edb751a",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
             "services": [
-                "VNet",
+                "SQL",
                 "AzurePolicy",
-                "SQL"
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Public Access",
@@ -11050,8 +11050,8 @@
             "guid": "057dd298-8726-4aa6-b590-1f81d2e30421",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
             "services": [
-                "VNet",
-                "SQL"
+                "SQL",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Public Access",
@@ -11093,8 +11093,8 @@
             "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access",
             "services": [
-                "Entra",
-                "SQL"
+                "SQL",
+                "Entra"
             ],
             "severity": "Low",
             "subcategory": "Permissions",
@@ -11170,9 +11170,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
             "service": "VM",
             "services": [
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Virtual Machines",
@@ -11429,8 +11429,8 @@
             "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa",
             "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure",
             "services": [
-                "RBAC",
-                "ASR"
+                "ASR",
+                "RBAC"
             ],
             "severity": "Medium",
             "subcategory": "DevOps",
@@ -11472,8 +11472,8 @@
             "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378",
             "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
             "services": [
-                "Storage",
-                "AppGW"
+                "AppGW",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Application Gateways",
@@ -11501,10 +11501,10 @@
             "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a",
             "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager",
             "services": [
-                "DNS",
-                "TrafficManager",
                 "ASR",
-                "Monitor"
+                "DNS",
+                "Monitor",
+                "TrafficManager"
             ],
             "severity": "Low",
             "subcategory": "DNS",
@@ -11519,9 +11519,9 @@
             "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
             "service": "DNS",
             "services": [
+                "ASR",
                 "DNS",
-                "ACR",
-                "ASR"
+                "ACR"
             ],
             "severity": "Low",
             "subcategory": "DNS",
@@ -11564,8 +11564,8 @@
             "guid": "a359c373-e7dd-4616-83a3-64a907ebae48",
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "services": [
-                "ExpressRoute",
-                "Backup"
+                "Backup",
+                "ExpressRoute"
             ],
             "severity": "Medium",
             "subcategory": "ExpressRoute",
@@ -11580,9 +11580,9 @@
             "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
             "services": [
                 "Backup",
-                "Cost",
+                "ExpressRoute",
                 "VPN",
-                "ExpressRoute"
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "ExpressRoute",
@@ -11610,8 +11610,8 @@
             "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574",
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
             "services": [
-                "LoadBalancer",
-                "VM"
+                "VM",
+                "LoadBalancer"
             ],
             "severity": "Low",
             "subcategory": "Load Balancers",
@@ -11625,8 +11625,8 @@
             "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d",
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance",
             "services": [
-                "LoadBalancer",
-                "Monitor"
+                "Monitor",
+                "LoadBalancer"
             ],
             "severity": "Low",
             "subcategory": "Load Balancers",
@@ -11727,8 +11727,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
             "service": "CosmosDB",
             "services": [
-                "CosmosDB",
-                "ACR"
+                "ACR",
+                "CosmosDB"
             ],
             "severity": "Medium",
             "subcategory": "High Availability",
@@ -11743,8 +11743,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
             "service": "CosmosDB",
             "services": [
-                "CosmosDB",
-                "ACR"
+                "ACR",
+                "CosmosDB"
             ],
             "severity": "Medium",
             "subcategory": "High Availability",
@@ -11789,8 +11789,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
             "service": "CosmosDB",
             "services": [
-                "CosmosDB",
                 "Backup",
+                "CosmosDB",
                 "Storage"
             ],
             "severity": "Medium",
@@ -11807,8 +11807,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
             "service": "CosmosDB",
             "services": [
-                "CosmosDB",
-                "Backup"
+                "Backup",
+                "CosmosDB"
             ],
             "severity": "Medium",
             "subcategory": "Backup Strategy",
@@ -11824,8 +11824,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
             "service": "CosmosDB",
             "services": [
-                "CosmosDB",
-                "Backup"
+                "Backup",
+                "CosmosDB"
             ],
             "severity": "Medium",
             "subcategory": "Backup Strategy",
@@ -11839,8 +11839,8 @@
             "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9",
             "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -11879,8 +11879,8 @@
             "guid": "483835c9-86bb-4291-8155-a11475e39f54",
             "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -11893,8 +11893,8 @@
             "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6",
             "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -11921,8 +11921,8 @@
             "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3",
             "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
             "services": [
-                "Entra",
-                "RBAC"
+                "RBAC",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity",
@@ -11935,12 +11935,12 @@
             "guid": "aa369282-9e7e-4216-8836-87af467a1f89",
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "services": [
-                "WAF",
                 "Firewall",
-                "VNet",
                 "DDoS",
+                "VNet",
                 "Subscriptions",
-                "Entra"
+                "Entra",
+                "WAF"
             ],
             "severity": "Low",
             "subcategory": "DDoS",
@@ -11993,8 +11993,8 @@
             "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress",
             "services": [
                 "Firewall",
-                "AzurePolicy",
-                "NVA"
+                "NVA",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -12308,8 +12308,8 @@
             "guid": "76af4a69-1e88-439a-ba46-667e13c10567",
             "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets",
             "services": [
-                "VNet",
-                "AKS"
+                "AKS",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Cluster Design",
@@ -12393,8 +12393,8 @@
             "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8",
             "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster",
             "services": [
-                "AKS",
-                "Arc"
+                "Arc",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Control plane",
@@ -12418,9 +12418,9 @@
             "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
             "services": [
-                "AKS",
+                "Arc",
                 "Defender",
-                "Arc"
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Posture",
@@ -12433,9 +12433,9 @@
             "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1",
             "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider",
             "services": [
-                "AKS",
+                "Arc",
                 "AKV",
-                "Arc"
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -12459,8 +12459,8 @@
             "guid": "b4935ada-4232-44ec-b81c-123181a64174",
             "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes",
             "services": [
-                "AzurePolicy",
-                "Monitor"
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Workload",
@@ -12486,14 +12486,1006 @@
             "guid": "e209d4a0-da57-4778-924d-216785d2fa56",
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
             "services": [
-                "ACR",
-                "Subscriptions"
+                "Subscriptions",
+                "ACR"
             ],
             "severity": "Low",
             "subcategory": "Workload",
             "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.",
             "waf": "Security"
         },
+        {
+            "category": "Responsible AI",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Metaprompting",
+            "text": "Follow Metaprompting guardrails for resonsible AI",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "services": [
+                "APIM",
+                "Entra"
+            ],
+            "severity": "High",
+            "subcategory": "Load Balancing",
+            "text": "Consider Gateway patterns with APIM  or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "services": [
+                "Monitor"
+            ],
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Enable monitoring for your AOAI instances",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "services": [
+                "Subscriptions",
+                "Monitor",
+                "AKV"
+            ],
+            "severity": "High",
+            "subcategory": "Alerts",
+            "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "services": [
+                "Monitor"
+            ],
+            "severity": "High",
+            "subcategory": "Monitoring",
+            "text": "Monitor token usage to prevent service disruptions due to capacity",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "services": [
+                "Monitor"
+            ],
+            "severity": "Medium",
+            "subcategory": "Observability",
+            "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "services": [
+                "APIM"
+            ],
+            "severity": "Low",
+            "subcategory": "Observability",
+            "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Infrastructure Deployment",
+            "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "services": [
+                "Entra"
+            ],
+            "severity": "High",
+            "subcategory": "Authentication",
+            "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+            "waf": "Security"
+        },
+        {
+            "category": "Responsible AI",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Evaluation",
+            "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+            "waf": "Operational Execellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Hosting model",
+            "text": "Evaluate usage of Provisioned throughput model ",
+            "waf": "Performance"
+        },
+        {
+            "category": "Responsible AI",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Content Safety",
+            "text": "Review and implement Azure AI content safety",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Throughput definition",
+            "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Latency improvement",
+            "text": "Improve latency of the system by limiting token sizes, streaming options",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "services": [
+                "Storage",
+                "ServiceBus"
+            ],
+            "severity": "Medium",
+            "subcategory": "Elasticity segregation",
+            "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Benchmarking",
+            "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Elasticity ",
+            "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Model choice",
+            "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+            "waf": "Performance"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Fine tuning",
+            "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+            "waf": "Performance"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "services": [
+                "ACR"
+            ],
+            "severity": "Low",
+            "subcategory": "Multi-region architecture",
+            "text": "Deploy multiple OAI instances across regions",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "services": [
+                "APIM",
+                "Entra"
+            ],
+            "severity": "High",
+            "subcategory": "Load balancing",
+            "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Quotas",
+            "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Responsible AI",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "UX best practice",
+            "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "services": [
+                "ACR"
+            ],
+            "severity": "Medium",
+            "subcategory": "Load balancing",
+            "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "services": [
+                "ASR",
+                "Backup"
+            ],
+            "severity": "Medium",
+            "subcategory": "Data Backup and Disaster Recovery",
+            "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+            "waf": "Reliability"
+        },
+        {
+            "category": "BC and DR",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "SLA considerations",
+            "text": "Azure AI search service tiers should be choosen to have a SLA ",
+            "waf": "Reliability"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Data Sensitivity",
+            "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Encryption at Rest",
+            "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "services": [
+                "ACR"
+            ],
+            "severity": "High",
+            "subcategory": "Transit Encryption",
+            "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "services": [
+                "RBAC"
+            ],
+            "severity": "High",
+            "subcategory": "Access Control",
+            "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Data Masking and Redaction",
+            "text": "Implement data encryption,  masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "services": [
+                "Defender",
+                "Monitor",
+                "Sentinel"
+            ],
+            "severity": "High",
+            "subcategory": "Threat Detection and Monitoring",
+            "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "services": [
+                "AzurePolicy"
+            ],
+            "severity": "Medium",
+            "subcategory": "Data Retention and Disposal",
+            "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+            "waf": "Security"
+        },
+        {
+            "category": "Responsible AI",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Jail break Safety",
+            "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Data Privacy and Compliance",
+            "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Employee Awareness and Training",
+            "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Environment segregation",
+            "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Index Segregation",
+            "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "services": [
+                "RBAC",
+                "AzurePolicy"
+            ],
+            "severity": "Medium",
+            "subcategory": "Sensitive Data in Separate Instances",
+            "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Embedding and Vector handling",
+            "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "services": [
+                "RBAC"
+            ],
+            "severity": "High",
+            "subcategory": "Access control",
+            "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "services": [
+                "PrivateLink"
+            ],
+            "severity": "High",
+            "subcategory": "Network security",
+            "text": "Configure private endpoint for AI services to restrict service access within your network",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "services": [
+                "Firewall",
+                "VNet"
+            ],
+            "severity": "High",
+            "subcategory": "Network security",
+            "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Control Network Access",
+            "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+            "waf": "Security"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Token Optimization",
+            "text": "Use prompt compression tools like LLMLingua or gprtrim",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "services": [
+                "AKV",
+                "Entra"
+            ],
+            "severity": "High",
+            "subcategory": "Secure APIs and Endpoints",
+            "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities,  API keys or OAuth, to prevent unauthorized access.",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Implement Strong Authentication",
+            "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "services": [
+                "Monitor"
+            ],
+            "severity": "Medium",
+            "subcategory": "Use Network Monitoring",
+            "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Security Audits and Penetration Testing",
+            "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Infrastructure Deployment",
+            "text": "Azure AI Services are properly tagged for better management",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Low",
+            "subcategory": "Infrastructure Deployment",
+            "text": "Azure AI Service accounts follows organizational naming conventions",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Diagnostics Logging",
+            "text": "Diagnostic logs in Azure AI services resources should be enabled",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Identity and Access Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "services": [
+                "Entra"
+            ],
+            "severity": "High",
+            "subcategory": "Entra ID based access",
+            "text": "Key access (local authentication) is recommended to be disabled for security.  After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "services": [
+                "AKV",
+                "Entra"
+            ],
+            "severity": "High",
+            "subcategory": "Secure Key Management",
+            "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "services": [
+                "AKV"
+            ],
+            "severity": "High",
+            "subcategory": "Key Rotation and Expiration",
+            "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+            "waf": "Security"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "High",
+            "subcategory": "Token Optimization",
+            "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Secure coding practice",
+            "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+            "waf": "Security"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "High",
+            "subcategory": "Patching and updates",
+            "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+            "waf": "Security"
+        },
+        {
+            "category": "Responsible AI",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "services": [
+                "AzurePolicy"
+            ],
+            "severity": "High",
+            "subcategory": "Governance",
+            "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Cost familiarization",
+            "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "High",
+            "subcategory": "Batch processing",
+            "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "services": [
+                "Monitor",
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Cost monitoring",
+            "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "Medium",
+            "subcategory": "Token limit",
+            "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "AI Search Reliability",
+            "text": "Review the guidance provided on setting up AI search for Reliability",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "services": [
+                "Storage"
+            ],
+            "severity": "Medium",
+            "subcategory": "AI Search Vector Limits",
+            "text": "Plan and manage AI Search Vector storage",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "DevOps",
+            "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "High",
+            "subcategory": "Costing Model",
+            "text": "Evaluate usage of billing models - PAYG vs PTU",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "DevOps",
+            "text": "Evaluate the quality of  prompts and applications when switching between model versions",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "services": [
+                "Monitor"
+            ],
+            "severity": "Medium",
+            "subcategory": "Development",
+            "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Development",
+            "text": "Evaluate your Azure AI Search results based on different search parameters",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Development",
+            "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Development",
+            "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Governance and Security",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "Security Audits and Penetration Testing",
+            "text": "Red team your GenAI applications",
+            "waf": "Security"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "services": [],
+            "severity": "Medium",
+            "subcategory": "End user feedback",
+            "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+            "waf": "Operational Excellence"
+        },
+        {
+            "category": "Cost Optimization",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "services": [
+                "Cost"
+            ],
+            "severity": "High",
+            "subcategory": "Quota Management",
+            "text": "Consider Quota management practices",
+            "waf": "Cost Optimization"
+        },
+        {
+            "category": "Operations Management",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "services": [
+                "APIM",
+                "ACR",
+                "LoadBalancer",
+                "Entra"
+            ],
+            "severity": "Medium",
+            "subcategory": "Load Balancing",
+            "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+            "waf": "Operational Excellence"
+        },
         {
             "category": "Operations Management",
             "checklist": "Cognitive Services Review Checklist",
@@ -12527,8 +13519,8 @@
             "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
             "service": "Cognitive Services",
             "services": [
-                "Backup",
-                "ASR"
+                "ASR",
+                "Backup"
             ],
             "severity": "High",
             "subcategory": "Backup",
@@ -13085,8 +14077,8 @@
             "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1",
             "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/",
             "services": [
-                "AVD",
                 "ASR",
+                "AVD",
                 "VM",
                 "Subscriptions"
             ],
@@ -13102,8 +14094,8 @@
             "guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
             "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr",
             "services": [
-                "AVD",
                 "ASR",
+                "AVD",
                 "VM",
                 "Storage"
             ],
@@ -13119,8 +14111,8 @@
             "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
             "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AVD",
-                "ASR"
+                "ASR",
+                "AVD"
             ],
             "severity": "Low",
             "subcategory": "Compute",
@@ -13134,9 +14126,9 @@
             "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
             "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262",
             "services": [
+                "ASR",
                 "AVD",
-                "ACR",
-                "ASR"
+                "ACR"
             ],
             "severity": "High",
             "subcategory": "Compute",
@@ -13150,10 +14142,10 @@
             "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
             "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AVD",
-                "Backup",
                 "ASR",
-                "VM"
+                "AVD",
+                "VM",
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "Compute",
@@ -13168,10 +14160,10 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery",
             "services": [
                 "AVD",
-                "Cost",
                 "Backup",
+                "VM",
                 "ASR",
-                "VM"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Compute",
@@ -13186,10 +14178,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery",
             "services": [
                 "AVD",
-                "Storage",
-                "ASR",
+                "ACR",
                 "VM",
-                "ACR"
+                "Storage",
+                "ASR"
             ],
             "severity": "Low",
             "subcategory": "Dependencies",
@@ -13203,8 +14195,8 @@
             "guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
             "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AVD",
-                "ASR"
+                "ASR",
+                "AVD"
             ],
             "severity": "Medium",
             "subcategory": "Dependencies",
@@ -13218,8 +14210,8 @@
             "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
             "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
             "services": [
-                "AVD",
                 "ASR",
+                "AVD",
                 "Storage"
             ],
             "severity": "Medium",
@@ -13235,10 +14227,10 @@
             "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
                 "AVD",
-                "Storage",
                 "Backup",
-                "ASR",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Storage",
+                "ASR"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -13252,8 +14244,8 @@
             "guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
             "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
             "services": [
-                "AVD",
                 "ASR",
+                "AVD",
                 "Storage"
             ],
             "severity": "Medium",
@@ -13268,9 +14260,9 @@
             "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
             "link": "https://docs.microsoft.com/azure/backup/backup-afs",
             "services": [
+                "ASR",
                 "AVD",
                 "Backup",
-                "ASR",
                 "Storage"
             ],
             "severity": "Medium",
@@ -13285,8 +14277,8 @@
             "guid": "10d4e875-d502-4142-a795-f2b6eff34f88",
             "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage",
             "services": [
-                "AVD",
                 "ASR",
+                "AVD",
                 "Storage"
             ],
             "severity": "High",
@@ -13302,10 +14294,10 @@
             "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering",
             "services": [
                 "AVD",
-                "Storage",
+                "ACR",
                 "Backup",
-                "ASR",
-                "ACR"
+                "Storage",
+                "ASR"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -13419,8 +14411,8 @@
             "guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
             "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
             "services": [
-                "AVD",
-                "RBAC"
+                "RBAC",
+                "AVD"
             ],
             "severity": "Low",
             "subcategory": "Golden Images",
@@ -13478,8 +14470,8 @@
             "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
             "services": [
                 "AVD",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "MSIX & AppAttach",
@@ -13507,8 +14499,8 @@
             "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
             "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
             "services": [
-                "AVD",
                 "RBAC",
+                "AVD",
                 "VM",
                 "Storage"
             ],
@@ -13905,10 +14897,10 @@
             "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
             "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
             "services": [
+                "Storage",
                 "AVD",
-                "Entra",
                 "VNet",
-                "Storage"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Active Directory",
@@ -13968,8 +14960,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts",
             "services": [
                 "AVD",
-                "Entra",
-                "VM"
+                "VM",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Active Directory",
@@ -13999,9 +14991,9 @@
             "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
             "services": [
                 "AVD",
-                "Entra",
                 "AzurePolicy",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Active Directory",
@@ -14031,8 +15023,8 @@
             "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable",
             "services": [
                 "AVD",
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Microsoft Entra ID",
@@ -14047,9 +15039,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
             "services": [
                 "AVD",
-                "Entra",
+                "Subscriptions",
                 "VNet",
-                "Subscriptions"
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Requirements",
@@ -14109,8 +15101,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
             "services": [
                 "AVD",
-                "Entra",
-                "VM"
+                "VM",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Requirements",
@@ -14140,8 +15132,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template",
             "services": [
                 "AVD",
-                "Entra",
-                "Monitor"
+                "Monitor",
+                "Entra"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -14156,8 +15148,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/management",
             "services": [
                 "AVD",
-                "VM",
-                "Monitor"
+                "Monitor",
+                "VM"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -14187,9 +15179,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios",
             "services": [
                 "AVD",
-                "Cost",
+                "Monitor",
                 "VM",
-                "Monitor"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -14203,8 +15195,8 @@
             "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc",
             "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect",
             "services": [
-                "AVD",
                 "Cost",
+                "AVD",
                 "VM",
                 "Monitor"
             ],
@@ -14220,11 +15212,11 @@
             "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb",
             "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them",
             "services": [
-                "Monitor",
                 "AVD",
-                "Cost",
                 "AzurePolicy",
-                "VM"
+                "Monitor",
+                "VM",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -14238,14 +15230,14 @@
             "guid": "51bcafca-476a-48fa-9b91-9645a7679f20",
             "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources",
             "services": [
-                "Monitor",
+                "VPN",
                 "AVD",
-                "Cost",
+                "DNS",
+                "Monitor",
                 "Storage",
+                "VWAN",
                 "ExpressRoute",
-                "VPN",
-                "DNS",
-                "VWAN"
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -14259,10 +15251,10 @@
             "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
             "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations",
             "services": [
-                "AVD",
-                "Entra",
                 "Cost",
-                "Monitor"
+                "AVD",
+                "Monitor",
+                "Entra"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -14307,8 +15299,8 @@
             "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
             "services": [
                 "AVD",
-                "VM",
-                "Monitor"
+                "Monitor",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -14323,8 +15315,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops",
             "services": [
                 "AVD",
-                "VM",
-                "Monitor"
+                "Monitor",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -14370,8 +15362,8 @@
             "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
             "services": [
                 "AVD",
-                "VM",
-                "Monitor"
+                "Monitor",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -14416,8 +15408,8 @@
             "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
             "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
             "services": [
-                "AVD",
                 "ExpressRoute",
+                "AVD",
                 "NVA",
                 "VPN"
             ],
@@ -14434,8 +15426,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity",
             "services": [
                 "AVD",
-                "VWAN",
-                "VNet"
+                "VNet",
+                "VWAN"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -14464,10 +15456,10 @@
             "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
             "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
             "services": [
-                "AVD",
                 "Firewall",
-                "VNet",
-                "NVA"
+                "AVD",
+                "NVA",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -14510,10 +15502,10 @@
             "guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
             "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
             "services": [
-                "AVD",
                 "Firewall",
-                "VNet",
-                "NVA"
+                "AVD",
+                "NVA",
+                "VNet"
             ],
             "severity": "Low",
             "subcategory": "Networking",
@@ -14557,11 +15549,11 @@
             "guid": "ec27d589-9178-426d-8df2-ff60020f30a6",
             "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints",
             "services": [
+                "VNet",
                 "PrivateLink",
                 "AVD",
-                "VNet",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -14620,8 +15612,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
             "services": [
                 "AVD",
-                "AKV",
                 "VM",
+                "AKV",
                 "Storage"
             ],
             "severity": "Low",
@@ -14739,11 +15731,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud",
             "services": [
                 "AVD",
-                "AKV",
                 "Subscriptions",
                 "Defender",
+                "VM",
                 "Storage",
-                "VM"
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -14758,8 +15750,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs",
             "services": [
                 "AVD",
-                "Entra",
-                "Monitor"
+                "Monitor",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -14773,9 +15765,9 @@
             "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
             "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
             "services": [
+                "RBAC",
                 "AVD",
-                "Entra",
-                "RBAC"
+                "Entra"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -14850,8 +15842,8 @@
             "services": [
                 "AVD",
                 "ACR",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Azure Files",
@@ -14973,8 +15965,8 @@
             "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
             "services": [
                 "AVD",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "High",
             "subcategory": "Capacity Planning",
@@ -14988,8 +15980,8 @@
             "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
             "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers",
             "services": [
-                "AVD",
                 "ASR",
+                "AVD",
                 "Storage"
             ],
             "severity": "High",
@@ -15203,8 +16195,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
             "service": "ACR",
             "services": [
-                "ACR",
                 "RBAC",
+                "ACR",
                 "Entra"
             ],
             "severity": "High",
@@ -15220,8 +16212,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
             "service": "ACR",
             "services": [
-                "ACR",
                 "RBAC",
+                "ACR",
                 "Entra"
             ],
             "severity": "High",
@@ -15237,8 +16229,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
             "service": "ACR",
             "services": [
-                "ACR",
                 "RBAC",
+                "ACR",
                 "Entra"
             ],
             "severity": "High",
@@ -15285,9 +16277,9 @@
             "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
             "service": "ACR",
             "services": [
+                "PrivateLink",
                 "EventHubs",
                 "ACR",
-                "PrivateLink",
                 "Entra"
             ],
             "severity": "High",
@@ -15320,8 +16312,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
             "service": "ACR",
             "services": [
-                "ACR",
                 "Monitor",
+                "ACR",
                 "Entra"
             ],
             "severity": "Medium",
@@ -15338,9 +16330,9 @@
             "service": "ACR",
             "services": [
                 "PrivateLink",
+                "Firewall",
                 "ACR",
-                "VNet",
-                "Firewall"
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Network Security",
@@ -15387,8 +16379,8 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
             "service": "ACR",
             "services": [
-                "ACR",
-                "Defender"
+                "Defender",
+                "ACR"
             ],
             "severity": "Low",
             "subcategory": "Network Security",
@@ -15463,11 +16455,11 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
             "service": "Event Hubs",
             "services": [
+                "TrafficManager",
                 "EventHubs",
-                "RBAC",
                 "AzurePolicy",
                 "Entra",
-                "TrafficManager"
+                "RBAC"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -15484,10 +16476,10 @@
             "service": "Event Hubs",
             "services": [
                 "EventHubs",
-                "AKV",
-                "Storage",
                 "VM",
-                "Entra"
+                "Storage",
+                "Entra",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -15503,9 +16495,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
             "service": "Event Hubs",
             "services": [
+                "RBAC",
                 "EventHubs",
-                "Entra",
-                "RBAC"
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -15521,9 +16513,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
             "service": "Event Hubs",
             "services": [
+                "Monitor",
                 "EventHubs",
-                "VNet",
-                "Monitor"
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -15539,9 +16531,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
             "service": "Event Hubs",
             "services": [
+                "PrivateLink",
                 "EventHubs",
-                "VNet",
-                "PrivateLink"
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -15587,8 +16579,8 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
             "service": "Event Hubs",
             "services": [
-                "EventHubs",
-                "ACR"
+                "ACR",
+                "EventHubs"
             ],
             "severity": "High",
             "subcategory": "Zone Redudancy",
@@ -15617,8 +16609,8 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
             "service": "Event Hubs",
             "services": [
-                "EventHubs",
-                "ASR"
+                "ASR",
+                "EventHubs"
             ],
             "severity": "High",
             "subcategory": "Geo Redudancy",
@@ -15633,8 +16625,8 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
             "service": "Event Hubs",
             "services": [
-                "EventHubs",
-                "ASR"
+                "ASR",
+                "EventHubs"
             ],
             "severity": "Medium",
             "subcategory": "Geo Redudancy",
@@ -15662,8 +16654,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
             "service": "Azure Monitor",
             "services": [
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Azure Monitor - enforce data collection rules",
@@ -15720,8 +16712,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
                 "Backup",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Delete/archive",
@@ -15735,10 +16727,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "service": "Azure Backup",
             "services": [
-                "Backup",
-                "Cost",
                 "ASR",
-                "Storage"
+                "Backup",
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Delete/archive",
@@ -15752,8 +16744,8 @@
             "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
             "service": "Azure Monitor",
             "services": [
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Log Analytics retention for workspaces",
@@ -15768,9 +16760,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "Azure Monitor",
             "services": [
-                "Cost",
                 "AzurePolicy",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Policy",
@@ -15814,9 +16806,9 @@
             "service": "VM",
             "services": [
                 "Backup",
-                "Cost",
                 "VM",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "stopped/deallocated VMs: check disks",
@@ -15831,9 +16823,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "Storage",
             "services": [
-                "Cost",
                 "AzurePolicy",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "storage accounts lifecycle policy",
@@ -15886,9 +16878,9 @@
             "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "services": [
-                "Cost",
                 "VM",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "DB optimization",
@@ -15929,8 +16921,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Advisor",
@@ -15956,8 +16948,8 @@
             "guid": "b835556d-f2bf-4e45-93b0-d834a348726d",
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Automation",
@@ -15996,8 +16988,8 @@
             "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c",
             "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Baseline",
@@ -16010,8 +17002,8 @@
             "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae",
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Baseline",
@@ -16144,10 +17136,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
             "service": "VM",
             "services": [
+                "SQL",
                 "VM",
-                "Cost",
                 "AzurePolicy",
-                "SQL"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL",
@@ -16175,8 +17167,8 @@
             "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056",
             "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
             "services": [
-                "Cost",
-                "AppSvc"
+                "AppSvc",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Functions",
@@ -16190,8 +17182,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Planning",
@@ -16207,8 +17199,8 @@
             "service": "VM",
             "services": [
                 "ARS",
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Reservations/savings plans",
@@ -16248,8 +17240,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
             "service": "VM",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Reserve storage",
@@ -16263,8 +17255,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Reserve VMs with normalized and rationalized sizes",
@@ -16278,9 +17270,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
             "service": "Azure SQL",
             "services": [
-                "Cost",
+                "SQL",
                 "AzurePolicy",
-                "SQL"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "SQL Database AHUB",
@@ -16294,9 +17286,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
             "service": "VM",
             "services": [
-                "Cost",
+                "SQL",
                 "VM",
-                "SQL"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "SQL Database Reservations",
@@ -16322,8 +17314,8 @@
             "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Tracking",
@@ -16336,8 +17328,8 @@
             "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b",
             "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Automation",
@@ -16350,8 +17342,8 @@
             "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d",
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
             "services": [
-                "Cost",
-                "AzurePolicy"
+                "AzurePolicy",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Automation",
@@ -16365,8 +17357,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Autoscale",
@@ -16450,9 +17442,9 @@
             "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
             "service": "Databricks",
             "services": [
+                "VM",
                 "LoadBalancer",
-                "Cost",
-                "VM"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Databricks",
@@ -16496,8 +17488,8 @@
             "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
             "service": "Azure Functions",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Functions",
@@ -16583,8 +17575,8 @@
             "service": "Front Door",
             "services": [
                 "EventHubs",
-                "Cost",
-                "FrontDoor"
+                "FrontDoor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -16598,9 +17590,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
             "service": "Front Door",
             "services": [
-                "Cost",
                 "AppSvc",
-                "FrontDoor"
+                "FrontDoor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -16640,8 +17632,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
             "service": "Storage",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -16655,8 +17647,8 @@
             "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
             "service": "VM",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -16670,8 +17662,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
             "service": "Storage",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -16685,8 +17677,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
             "service": "Storage",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -16700,9 +17692,9 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
             "service": "Site Recovery",
             "services": [
-                "Cost",
                 "ASR",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -16716,8 +17708,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
             "service": "Storage",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "storage",
@@ -16731,8 +17723,8 @@
             "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
             "service": "VM",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -16747,8 +17739,8 @@
             "service": "Synapse",
             "services": [
                 "EventHubs",
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Synapse",
@@ -16762,8 +17754,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
             "service": "Synapse",
             "services": [
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Synapse",
@@ -16777,8 +17769,8 @@
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
             "service": "Synapse",
             "services": [
-                "Cost",
-                "SQL"
+                "SQL",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Synapse",
@@ -16835,8 +17827,8 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "VM",
@@ -16851,8 +17843,8 @@
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "VM",
@@ -16866,8 +17858,8 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "VM",
@@ -16882,9 +17874,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "VM",
             "services": [
-                "Cost",
+                "Monitor",
                 "VM",
-                "Monitor"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "VM",
@@ -16899,8 +17891,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "VM",
             "services": [
-                "Cost",
-                "VM"
+                "VM",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "VM",
@@ -17305,8 +18297,8 @@
             "service": "APIM",
             "services": [
                 "APIM",
-                "Entra",
-                "FrontDoor"
+                "FrontDoor",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Connectivity",
@@ -17336,9 +18328,9 @@
             "service": "APIM",
             "services": [
                 "APIM",
-                "Entra",
+                "Monitor",
                 "VNet",
-                "Monitor"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -17353,9 +18345,9 @@
             "service": "APIM",
             "services": [
                 "APIM",
-                "Entra",
+                "PrivateLink",
                 "VNet",
-                "PrivateLink"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -17542,9 +18534,9 @@
             "service": "APIM",
             "services": [
                 "APIM",
-                "Entra",
                 "AppGW",
-                "WAF"
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Network",
@@ -17558,8 +18550,8 @@
             "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687",
             "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "VM Size",
@@ -17573,8 +18565,8 @@
             "guid": "e04abe1f-8d39-4fda-9776-8424c116775c",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "VM Size",
@@ -17588,9 +18580,9 @@
             "guid": "2ea55b56-ad48-4408-be72-734b476ba18f",
             "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements",
             "services": [
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -17604,8 +18596,8 @@
             "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17619,8 +18611,8 @@
             "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17634,9 +18626,9 @@
             "guid": "25659d35-58fd-4772-99c9-31112d027fe4",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "Cost",
+                "SQL",
                 "Storage",
-                "SQL"
+                "Cost"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17650,9 +18642,9 @@
             "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -17666,9 +18658,9 @@
             "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17682,9 +18674,9 @@
             "guid": "05674b5e-985b-4859-a773-e7e261623b77",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
+                "SQL",
                 "AzurePolicy",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17698,9 +18690,9 @@
             "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17714,8 +18706,8 @@
             "guid": "155abb91-63e9-4908-ae28-c84c33b6b780",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Storage",
@@ -17729,8 +18721,8 @@
             "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "HADR",
@@ -17744,8 +18736,8 @@
             "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "HADR",
@@ -17759,10 +18751,10 @@
             "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli",
             "services": [
-                "VNet",
-                "LoadBalancer",
+                "SQL",
                 "VM",
-                "SQL"
+                "LoadBalancer",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "HADR",
@@ -17805,10 +18797,10 @@
             "guid": "667313c4-0567-44b5-b985-b859c773e7e2",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb",
             "services": [
-                "VNet",
-                "LoadBalancer",
+                "SQL",
                 "VM",
-                "SQL"
+                "LoadBalancer",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "HADR",
@@ -17822,8 +18814,8 @@
             "guid": "61623b77-5a91-47e1-b348-ef354c27d42e",
             "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "SQL Server",
@@ -17837,8 +18829,8 @@
             "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c",
             "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "SQL Server",
@@ -17866,9 +18858,9 @@
             "guid": "b824546c-e1ae-4e34-93ae-c8239248725d",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features",
             "services": [
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "SQL Server",
@@ -17882,8 +18874,8 @@
             "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6",
             "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "SQL Server",
@@ -17897,8 +18889,8 @@
             "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6",
             "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "SQL Server",
@@ -17912,8 +18904,8 @@
             "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c",
             "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "Low",
             "subcategory": "SQL Server",
@@ -17927,8 +18919,8 @@
             "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d",
             "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "SQL Server",
@@ -17942,8 +18934,8 @@
             "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479",
             "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "SQL Server",
@@ -17957,8 +18949,8 @@
             "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c",
             "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "SQL Server",
@@ -17972,10 +18964,10 @@
             "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285",
             "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu",
             "services": [
-                "Cost",
+                "SQL",
                 "VM",
                 "Storage",
-                "SQL"
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Cost Optimization",
@@ -17990,8 +18982,8 @@
             "guid": "7ed67178-b824-4546-ae1a-ee3453aec823",
             "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/",
             "services": [
-                "Cost",
-                "SQL"
+                "SQL",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Cost Optimization",
@@ -18005,8 +18997,8 @@
             "guid": "9248725d-d68c-45b5-a292-5394a69a9d27",
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Azure",
@@ -18021,8 +19013,8 @@
             "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc",
             "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "High",
             "subcategory": "Azure",
@@ -18036,9 +19028,9 @@
             "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
             "services": [
+                "SQL",
                 "VM",
-                "Defender",
-                "SQL"
+                "Defender"
             ],
             "severity": "High",
             "subcategory": "Azure",
@@ -18053,8 +19045,8 @@
             "guid": "78ee293c-1bc3-452b-aaab-7571849ab809",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql",
             "services": [
-                "EventHubs",
-                "SQL"
+                "SQL",
+                "EventHubs"
             ],
             "severity": "High",
             "subcategory": "Pre Migration",
@@ -18160,8 +19152,8 @@
             "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi",
             "services": [
-                "VNet",
-                "SQL"
+                "SQL",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Pre Migration",
@@ -18176,8 +19168,8 @@
             "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi",
             "services": [
-                "VNet",
-                "SQL"
+                "SQL",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Deployment",
@@ -18296,8 +19288,8 @@
             "guid": "829e3eec-2183-4687-a007-7a2b5945bda4",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell",
             "services": [
-                "VM",
-                "SQL"
+                "SQL",
+                "VM"
             ],
             "severity": "Medium",
             "subcategory": "Deployment",
@@ -18311,8 +19303,8 @@
             "guid": "3334fdf9-1c23-4418-8b65-275269440b4b",
             "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore",
             "services": [
-                "Backup",
-                "SQL"
+                "SQL",
+                "Backup"
             ],
             "severity": "Low",
             "subcategory": "Migration",
@@ -18368,9 +19360,9 @@
             "guid": "141acdce-5793-477b-adb3-751ab2ac1fad",
             "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover",
             "services": [
+                "SQL",
                 "EventHubs",
-                "LoadBalancer",
-                "SQL"
+                "LoadBalancer"
             ],
             "severity": "High",
             "subcategory": "Post Migration",
@@ -18384,8 +19376,8 @@
             "guid": "aa359272-8e6e-4205-8726-76ae46691e88",
             "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525",
             "services": [
-                "Storage",
-                "SQL"
+                "SQL",
+                "Storage"
             ],
             "severity": "High",
             "subcategory": "Post Migration",
@@ -18400,10 +19392,10 @@
             "guid": "35ad9422-23e1-4381-8523-081a94174158",
             "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk",
             "services": [
-                "AKV",
+                "SQL",
                 "Backup",
-                "AzurePolicy",
-                "SQL"
+                "AKV",
+                "AzurePolicy"
             ],
             "severity": "Low",
             "subcategory": "Post Migration",
@@ -18434,9 +19426,9 @@
             "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi",
             "services": [
                 "ARS",
+                "SQL",
                 "Backup",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Low",
             "subcategory": "Post Migration",
@@ -18451,8 +19443,8 @@
             "guid": "ad88408f-3727-434c-a76b-a28021459014",
             "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview",
             "services": [
-                "Cost",
-                "SQL"
+                "SQL",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Post Migration",
@@ -18467,8 +19459,8 @@
             "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1",
             "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql",
             "services": [
-                "Defender",
-                "SQL"
+                "SQL",
+                "Defender"
             ],
             "severity": "Medium",
             "subcategory": "Post Migration",
@@ -18697,8 +19689,8 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
             "service": "Azure Storage",
             "services": [
-                "AzurePolicy",
                 "Subscriptions",
+                "AzurePolicy",
                 "Storage"
             ],
             "severity": "High",
@@ -18759,8 +19751,8 @@
             "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -18774,9 +19766,9 @@
             "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
             "service": "Azure Storage",
             "services": [
-                "Entra",
                 "RBAC",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -18791,8 +19783,8 @@
             "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -18807,8 +19799,8 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
             "service": "Azure Storage",
             "services": [
-                "AKV",
                 "Monitor",
+                "AKV",
                 "Storage",
                 "Entra"
             ],
@@ -18825,9 +19817,9 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
             "service": "Azure Storage",
             "services": [
-                "AKV",
-                "AzurePolicy",
                 "Monitor",
+                "AzurePolicy",
+                "AKV",
                 "Storage"
             ],
             "severity": "High",
@@ -18843,8 +19835,8 @@
             "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
             "service": "Azure Storage",
             "services": [
-                "AKV",
                 "AzurePolicy",
+                "AKV",
                 "Storage",
                 "Entra"
             ],
@@ -18861,9 +19853,9 @@
             "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
             "service": "Azure Storage",
             "services": [
-                "Entra",
                 "AzurePolicy",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -18878,10 +19870,10 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
             "service": "Azure Storage",
             "services": [
-                "Entra",
                 "AzurePolicy",
                 "AKV",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -18911,8 +19903,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -18927,9 +19919,9 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
             "service": "Azure Storage",
             "services": [
-                "Entra",
                 "AzurePolicy",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -18944,8 +19936,8 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -18960,8 +19952,8 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -18975,8 +19967,8 @@
             "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Low",
             "subcategory": "Identity and Access Management",
@@ -18991,9 +19983,9 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
             "service": "Azure Storage",
             "services": [
-                "Entra",
                 "RBAC",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -19007,8 +19999,8 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Identity and Access Management",
@@ -19082,8 +20074,8 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
             "service": "Azure Storage",
             "services": [
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity and Access Management",
@@ -19179,8 +20171,8 @@
             "guid": "aa359271-8e6e-4205-8725-769e46691e88",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
             "services": [
-                "Entra",
-                "Arc"
+                "Arc",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Capacity Planning",
@@ -19194,8 +20186,8 @@
             "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers",
             "services": [
-                "Subscriptions",
-                "Arc"
+                "Arc",
+                "Subscriptions"
             ],
             "severity": "High",
             "subcategory": "General",
@@ -19264,8 +20256,8 @@
             "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies",
             "services": [
-                "Subscriptions",
-                "Arc"
+                "Arc",
+                "Subscriptions"
             ],
             "severity": "Low",
             "subcategory": "Organization",
@@ -19279,9 +20271,9 @@
             "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control",
             "services": [
-                "Entra",
+                "Arc",
                 "RBAC",
-                "Arc"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Access",
@@ -19294,8 +20286,8 @@
             "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e",
             "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad",
             "services": [
-                "AKV",
                 "Arc",
+                "AKV",
                 "Entra"
             ],
             "severity": "Low",
@@ -19310,9 +20302,9 @@
             "guid": "35ac9322-23e1-4380-8523-081a94174158",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
             "services": [
-                "Entra",
+                "Arc",
                 "Subscriptions",
-                "Arc"
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Requirements",
@@ -19326,9 +20318,9 @@
             "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
             "services": [
-                "Entra",
+                "Arc",
                 "RBAC",
-                "Arc"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Requirements",
@@ -19342,9 +20334,9 @@
             "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
             "services": [
-                "Entra",
+                "Arc",
                 "RBAC",
-                "Arc"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -19358,9 +20350,9 @@
             "guid": "ad88408e-3727-434b-a76b-a28f21459013",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
             "services": [
-                "Entra",
+                "Arc",
                 "RBAC",
-                "Arc"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -19374,9 +20366,9 @@
             "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
             "services": [
-                "Entra",
+                "Arc",
                 "RBAC",
-                "Arc"
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -19390,8 +20382,8 @@
             "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -19405,8 +20397,8 @@
             "guid": "c78e1d76-6673-457c-9496-74c5ed85b859",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "High",
             "subcategory": "Management",
@@ -19420,9 +20412,9 @@
             "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions",
             "services": [
-                "AzurePolicy",
+                "Arc",
                 "Monitor",
-                "Arc"
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -19436,8 +20428,8 @@
             "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "High",
             "subcategory": "Management",
@@ -19451,8 +20443,8 @@
             "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de",
             "link": "https://learn.microsoft.com/azure/automanage/automanage-arc",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -19465,8 +20457,8 @@
             "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "High",
             "subcategory": "Monitoring",
@@ -19479,8 +20471,8 @@
             "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d",
             "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -19493,8 +20485,8 @@
             "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782",
             "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -19507,8 +20499,8 @@
             "guid": "89c93555-6d02-4bfe-9564-b0d834a34872",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -19521,8 +20513,8 @@
             "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -19536,8 +20528,8 @@
             "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Low",
             "subcategory": "Security",
@@ -19580,9 +20572,9 @@
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security",
             "services": [
                 "PrivateLink",
+                "Arc",
                 "ExpressRoute",
-                "VPN",
-                "Arc"
+                "VPN"
             ],
             "severity": "Medium",
             "subcategory": "Networking",
@@ -19639,8 +20631,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method",
             "services": [
                 "PrivateLink",
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Low",
             "subcategory": "Networking",
@@ -19653,8 +20645,8 @@
             "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c",
             "link": "https://learn.microsoft.com/azure/governance/policy/",
             "services": [
-                "AzurePolicy",
-                "Arc"
+                "Arc",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -19680,8 +20672,8 @@
             "guid": "667357c4-4967-44c5-bd85-b859c7733be2",
             "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create",
             "services": [
-                "AzurePolicy",
-                "Arc"
+                "Arc",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -19694,8 +20686,8 @@
             "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77",
             "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview",
             "services": [
-                "Monitor",
-                "Arc"
+                "Arc",
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -19721,8 +20713,8 @@
             "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780",
             "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts",
             "services": [
-                "AKV",
-                "Arc"
+                "Arc",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -19736,9 +20728,9 @@
             "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b",
             "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret",
             "services": [
+                "Arc",
                 "AKV",
                 "Storage",
-                "Arc",
                 "Entra"
             ],
             "severity": "High",
@@ -19753,8 +20745,8 @@
             "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption",
             "services": [
-                "AKV",
-                "Arc"
+                "Arc",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -19795,8 +20787,8 @@
             "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4",
             "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication",
             "services": [
-                "Entra",
-                "Arc"
+                "Arc",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -19810,8 +20802,8 @@
             "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868",
             "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
             "services": [
-                "Defender",
-                "Arc"
+                "Arc",
+                "Defender"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -20641,8 +21633,8 @@
             "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
             "services": [
-                "AKS",
-                "ASR"
+                "ASR",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Disaster Recovery",
@@ -20655,10 +21647,10 @@
             "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
             "services": [
-                "AKS",
+                "TrafficManager",
                 "LoadBalancer",
-                "FrontDoor",
-                "TrafficManager"
+                "AKS",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "High Availability",
@@ -20716,8 +21708,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
             "service": "ACR",
             "services": [
-                "AKS",
-                "ACR"
+                "ACR",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "High Availability",
@@ -20730,8 +21722,8 @@
             "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
             "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
             "services": [
-                "AKS",
                 "ASR",
+                "AKS",
                 "Storage"
             ],
             "severity": "High",
@@ -20820,8 +21812,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Compliance",
@@ -20864,8 +21856,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/",
             "service": "AKS",
             "services": [
-                "AKS",
-                "ACR"
+                "ACR",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Compliance",
@@ -20892,8 +21884,8 @@
             "guid": "cc639637-a652-42ac-89e8-06965388e9de",
             "link": "https://learn.microsoft.com/azure/security-center/container-security",
             "services": [
-                "AKS",
-                "Defender"
+                "Defender",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Compliance",
@@ -20934,8 +21926,8 @@
             "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AKV"
+                "AKV",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -20949,8 +21941,8 @@
             "link": "https://learn.microsoft.com/azure/aks/update-credentials",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AKV"
+                "AKV",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Secrets",
@@ -20964,8 +21956,8 @@
             "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AKV"
+                "AKV",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -20979,8 +21971,8 @@
             "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AKV"
+                "AKV",
+                "AKS"
             ],
             "severity": "Low",
             "subcategory": "Secrets",
@@ -20994,9 +21986,9 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
             "service": "AKS",
             "services": [
-                "AKS",
+                "Defender",
                 "AKV",
-                "Defender"
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -21057,8 +22049,8 @@
             "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
             "service": "AKS",
             "services": [
-                "AKS",
                 "RBAC",
+                "AKS",
                 "Entra"
             ],
             "severity": "Medium",
@@ -21073,8 +22065,8 @@
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
             "service": "AKS",
             "services": [
-                "AKS",
                 "RBAC",
+                "AKS",
                 "Entra"
             ],
             "severity": "High",
@@ -21195,9 +22187,9 @@
             "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
             "service": "AKS",
             "services": [
-                "AKS",
                 "ACR",
-                "AppGW"
+                "AppGW",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Best practices",
@@ -21241,8 +22233,8 @@
             "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
             "service": "AKS",
             "services": [
-                "AKS",
-                "LoadBalancer"
+                "LoadBalancer",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Best practices",
@@ -21271,10 +22263,10 @@
             "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
             "service": "AKS",
             "services": [
+                "PrivateLink",
                 "VNet",
                 "AKS",
-                "Cost",
-                "PrivateLink"
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Cost",
@@ -21287,8 +22279,8 @@
             "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "services": [
-                "AKS",
-                "VPN"
+                "VPN",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "HA",
@@ -21447,8 +22439,8 @@
             "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
             "service": "AKS",
             "services": [
-                "AKS",
-                "NVA"
+                "NVA",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Security",
@@ -21493,8 +22485,8 @@
             "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -21509,8 +22501,8 @@
             "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Security",
@@ -21524,8 +22516,8 @@
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
             "service": "AKS",
             "services": [
-                "AKS",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Security",
@@ -21556,8 +22548,8 @@
             "service": "AKS",
             "services": [
                 "VNet",
-                "AKS",
-                "DDoS"
+                "DDoS",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -21600,8 +22592,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Alerting",
@@ -21800,8 +22792,8 @@
             "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "Low",
             "subcategory": "Compliance",
@@ -21860,8 +22852,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Monitoring",
@@ -21876,8 +22868,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Monitoring",
@@ -21891,8 +22883,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -21906,8 +22898,8 @@
             "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -21922,11 +22914,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
             "service": "AKS",
             "services": [
-                "EventHubs",
                 "ServiceBus",
+                "EventHubs",
                 "Monitor",
-                "Storage",
-                "AKS"
+                "AKS",
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -21940,10 +22932,10 @@
             "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
             "service": "AKS",
             "services": [
-                "AKS",
-                "LoadBalancer",
                 "NVA",
-                "Monitor"
+                "Monitor",
+                "LoadBalancer",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -21957,8 +22949,8 @@
             "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Monitor"
+                "Monitor",
+                "AKS"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -22000,8 +22992,8 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "service": "AKS",
             "services": [
-                "AKS",
-                "Subscriptions"
+                "Subscriptions",
+                "AKS"
             ],
             "severity": "High",
             "subcategory": "Resources",
@@ -22190,9 +23182,9 @@
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
             "service": "AKS",
             "services": [
+                "SQL",
                 "AKS",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "Storage",
@@ -22248,8 +23240,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
             "service": "Spring Apps",
             "services": [
-                "TrafficManager",
                 "ASR",
+                "TrafficManager",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -22884,8 +23876,8 @@
             "guid": "074541e3-fe08-458a-8062-32d13dcc10c6",
             "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines",
             "services": [
-                "Backup",
                 "ASR",
+                "Backup",
                 "VM"
             ],
             "severity": "High",
@@ -23074,8 +24066,8 @@
             "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc",
             "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery",
             "services": [
-                "Backup",
-                "ASR"
+                "ASR",
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "Disaster Recovery",
@@ -23216,9 +24208,9 @@
             "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "Backup",
-                "ASR"
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "Backup and restore",
@@ -23231,9 +24223,9 @@
             "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "Backup",
-                "ASR"
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "Disaster recovery",
@@ -23247,11 +24239,11 @@
             "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
             "service": "SAP",
             "services": [
-                "Storage",
                 "SQL",
-                "SAP",
                 "Backup",
-                "ASR"
+                "Storage",
+                "ASR",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "Disaster recovery",
@@ -23266,8 +24258,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "Medium",
             "subcategory": "Disaster recovery",
@@ -23282,9 +24274,9 @@
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
                 "ExpressRoute",
-                "ASR",
                 "VPN"
             ],
             "severity": "High",
@@ -23300,9 +24292,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
                 "ACR",
-                "ASR",
                 "AKV"
             ],
             "severity": "Low",
@@ -23317,9 +24309,9 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "VNet",
-                "ASR"
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Disaster recovery",
@@ -23333,8 +24325,8 @@
             "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Storage"
             ],
             "severity": "Low",
@@ -23350,8 +24342,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "Disaster recovery",
@@ -23366,9 +24358,9 @@
             "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "VNet",
-                "ASR"
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "Disaster recovery",
@@ -23382,10 +24374,10 @@
             "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
             "service": "SAP",
             "services": [
-                "SAP",
-                "Entra",
                 "ASR",
-                "VM"
+                "SAP",
+                "VM",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Disaster recovery",
@@ -23400,8 +24392,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23416,8 +24408,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23432,8 +24424,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "VM",
                 "Storage"
             ],
@@ -23450,8 +24442,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Storage"
             ],
             "severity": "High",
@@ -23467,8 +24459,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23483,9 +24475,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "LoadBalancer",
-                "ASR"
+                "LoadBalancer"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23500,9 +24492,9 @@
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "LoadBalancer",
-                "ASR"
+                "LoadBalancer"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23517,8 +24509,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23533,10 +24525,10 @@
             "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
             "service": "SAP",
             "services": [
-                "SAP",
-                "Entra",
                 "ASR",
-                "VM"
+                "SAP",
+                "VM",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23550,11 +24542,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "SAP",
             "services": [
-                "SAP",
-                "RBAC",
                 "VM",
+                "Entra",
                 "ASR",
-                "Entra"
+                "RBAC",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23569,8 +24561,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "Medium",
             "subcategory": "High availability",
@@ -23585,8 +24577,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "VM"
             ],
             "severity": "High",
@@ -23602,9 +24594,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "Entra",
-                "ASR"
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23618,9 +24610,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "ACR",
-                "ASR"
+                "ACR"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23634,9 +24626,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "Entra",
-                "ASR"
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "High availability",
@@ -23651,10 +24643,10 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
             "service": "SAP",
             "services": [
-                "SAP",
-                "Entra",
                 "ASR",
-                "VM"
+                "SAP",
+                "VM",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "High availability",
@@ -23669,8 +24661,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "VM",
                 "Storage"
             ],
@@ -23686,8 +24678,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
             "service": "SAP",
             "services": [
-                "SAP",
-                "ASR"
+                "ASR",
+                "SAP"
             ],
             "severity": "Medium",
             "subcategory": "High availability",
@@ -23702,8 +24694,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Storage"
             ],
             "severity": "High",
@@ -23719,8 +24711,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Storage"
             ],
             "severity": "High",
@@ -23736,8 +24728,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Storage"
             ],
             "severity": "High",
@@ -23753,8 +24745,8 @@
             "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Storage"
             ],
             "severity": "High",
@@ -23785,9 +24777,9 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Cost",
                 "VM",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "&nbsp",
@@ -23802,9 +24794,9 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Cost",
                 "VM",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "&nbsp",
@@ -23818,10 +24810,10 @@
             "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
             "service": "SAP",
             "services": [
-                "SAP",
-                "Entra",
                 "RBAC",
-                "Subscriptions"
+                "SAP",
+                "Subscriptions",
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Identity",
@@ -24052,8 +25044,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "AzurePolicy",
-                "Subscriptions"
+                "Subscriptions",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Subscriptions",
@@ -24166,8 +25158,8 @@
             "services": [
                 "SAP",
                 "TrafficManager",
-                "Cost",
-                "Subscriptions"
+                "Subscriptions",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Subscriptions",
@@ -24183,8 +25175,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Backup",
-                "Monitor"
+                "Monitor",
+                "Backup"
             ],
             "severity": "High",
             "subcategory": "BCDR",
@@ -24200,10 +25192,10 @@
             "service": "SAP",
             "services": [
                 "Monitor",
-                "Storage",
-                "SAP",
                 "VM",
-                "Entra"
+                "Storage",
+                "Entra",
+                "SAP"
             ],
             "severity": "Medium",
             "subcategory": "BCDR",
@@ -24233,8 +25225,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Entra",
-                "Monitor"
+                "Monitor",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -24250,8 +25242,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Low",
             "subcategory": "Management",
@@ -24266,8 +25258,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Entra",
-                "Monitor"
+                "Monitor",
+                "Entra"
             ],
             "severity": "Medium",
             "subcategory": "Management",
@@ -24314,9 +25306,9 @@
             "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
             "service": "SAP",
             "services": [
+                "SQL",
                 "SAP",
-                "Monitor",
-                "SQL"
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -24332,9 +25324,9 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Entra",
+                "Monitor",
                 "VM",
-                "Monitor"
+                "Entra"
             ],
             "severity": "High",
             "subcategory": "Monitoring",
@@ -24350,8 +25342,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "AzurePolicy",
-                "Monitor"
+                "Monitor",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -24416,8 +25408,8 @@
             "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Monitor",
                 "Storage"
             ],
@@ -24452,8 +25444,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Cost",
-                "Monitor"
+                "Monitor",
+                "Cost"
             ],
             "severity": "Medium",
             "subcategory": "Monitoring",
@@ -24469,8 +25461,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "VM",
-                "Monitor"
+                "Monitor",
+                "VM"
             ],
             "severity": "Low",
             "subcategory": "Performance",
@@ -24484,8 +25476,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Monitor"
             ],
             "severity": "Medium",
@@ -24549,9 +25541,9 @@
             "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
             "service": "SAP",
             "services": [
+                "SQL",
                 "SAP",
-                "Monitor",
-                "SQL"
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "Performance",
@@ -24566,8 +25558,8 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Monitor"
             ],
             "severity": "High",
@@ -24583,9 +25575,9 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "SAP",
             "services": [
+                "AppGW",
                 "SAP",
                 "AzurePolicy",
-                "AppGW",
                 "WAF"
             ],
             "severity": "Medium",
@@ -24601,8 +25593,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
             "service": "SAP",
             "services": [
-                "SAP",
                 "DNS",
+                "SAP",
                 "VM"
             ],
             "severity": "Medium",
@@ -24618,8 +25610,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
             "service": "SAP",
             "services": [
-                "SAP",
                 "DNS",
+                "SAP",
                 "VNet"
             ],
             "severity": "Medium",
@@ -24686,8 +25678,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "VNet",
-                "NVA"
+                "NVA",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Hybrid",
@@ -24703,9 +25695,9 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "VWAN",
+                "NVA",
                 "VNet",
-                "NVA"
+                "VWAN"
             ],
             "severity": "Medium",
             "subcategory": "Hybrid",
@@ -24721,8 +25713,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "VNet",
-                "VM"
+                "VM",
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "IP plan",
@@ -24737,9 +25729,9 @@
             "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
             "service": "SAP",
             "services": [
+                "ASR",
                 "SAP",
-                "VNet",
-                "ASR"
+                "VNet"
             ],
             "severity": "High",
             "subcategory": "IP plan",
@@ -24787,8 +25779,8 @@
             "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
             "service": "SAP",
             "services": [
-                "SAP",
-                "Firewall"
+                "Firewall",
+                "SAP"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -24820,11 +25812,11 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP",
+                "ACR",
                 "AzurePolicy",
-                "FrontDoor",
-                "ACR"
+                "SAP",
+                "WAF",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -24839,10 +25831,10 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "AzurePolicy",
                 "AppGW",
                 "SAP",
-                "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -24859,9 +25851,9 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "LoadBalancer",
                 "AppGW",
-                "WAF"
+                "WAF",
+                "LoadBalancer"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -24893,12 +25885,12 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
             "service": "SAP",
             "services": [
-                "PrivateLink",
                 "VNet",
-                "Storage",
-                "SAP",
+                "PrivateLink",
                 "Backup",
-                "ACR"
+                "ACR",
+                "Storage",
+                "SAP"
             ],
             "severity": "Medium",
             "subcategory": "Internet",
@@ -24946,8 +25938,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "VNet",
-                "VM"
+                "VM",
+                "VNet"
             ],
             "severity": "Medium",
             "subcategory": "Segmentation",
@@ -25057,8 +26049,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Backup",
-                "VM"
+                "VM",
+                "Backup"
             ],
             "severity": "High",
             "subcategory": "&nbsp",
@@ -25072,8 +26064,8 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
             "service": "SAP",
             "services": [
-                "SAP",
                 "ASR",
+                "SAP",
                 "Monitor"
             ],
             "severity": "Medium",
@@ -25104,8 +26096,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Backup",
-                "VM"
+                "VM",
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "&nbsp",
@@ -25119,9 +26111,9 @@
             "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
             "service": "SAP",
             "services": [
+                "SQL",
                 "SAP",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "subcategory": "&nbsp",
@@ -25136,8 +26128,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "Backup",
-                "VM"
+                "VM",
+                "Backup"
             ],
             "severity": "Medium",
             "subcategory": "&nbsp",
@@ -25207,9 +26199,9 @@
             "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
             "service": "SAP",
             "services": [
+                "SQL",
                 "SAP",
-                "Monitor",
-                "SQL"
+                "Monitor"
             ],
             "severity": "Medium",
             "subcategory": "&nbsp",
@@ -25299,8 +26291,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
             "service": "SAP",
             "services": [
-                "SAP",
-                "SQL"
+                "SQL",
+                "SAP"
             ],
             "severity": "Low",
             "subcategory": "Governance",
@@ -25314,8 +26306,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
             "service": "SAP",
             "services": [
-                "SAP",
-                "SQL"
+                "SQL",
+                "SAP"
             ],
             "severity": "High",
             "subcategory": "Governance",
@@ -25330,11 +26322,11 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
             "service": "SAP",
             "services": [
-                "AKV",
-                "Storage",
                 "SQL",
+                "Backup",
+                "Storage",
                 "SAP",
-                "Backup"
+                "AKV"
             ],
             "severity": "High",
             "subcategory": "Secrets",
@@ -25382,11 +26374,11 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
             "service": "SAP",
             "services": [
-                "AKV",
                 "Subscriptions",
-                "SAP",
+                "AzurePolicy",
                 "RBAC",
-                "AzurePolicy"
+                "SAP",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -25402,8 +26394,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "AKV",
-                "AzurePolicy"
+                "AzurePolicy",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Secrets",
@@ -25418,10 +26410,10 @@
             "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
             "service": "SAP",
             "services": [
-                "SAP",
-                "AKV",
                 "RBAC",
-                "AzurePolicy"
+                "SAP",
+                "AzurePolicy",
+                "AKV"
             ],
             "severity": "High",
             "subcategory": "Secrets",
@@ -25437,8 +26429,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "AKV",
                 "Defender",
+                "AKV",
                 "Storage"
             ],
             "severity": "High",
@@ -25454,10 +26446,10 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
             "service": "SAP",
             "services": [
-                "SAP",
-                "AKV",
                 "RBAC",
-                "Defender"
+                "SAP",
+                "Defender",
+                "AKV"
             ],
             "severity": "High",
             "subcategory": "Secrets",
@@ -25536,8 +26528,8 @@
             "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
             "service": "SAP",
             "services": [
-                "SAP",
                 "RBAC",
+                "SAP",
                 "Subscriptions"
             ],
             "severity": "High",
@@ -25553,9 +26545,9 @@
             "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
             "service": "SAP",
             "services": [
+                "PrivateLink",
                 "SAP",
-                "NVA",
-                "PrivateLink"
+                "NVA"
             ],
             "severity": "High",
             "subcategory": "Security",
@@ -25636,8 +26628,8 @@
             "service": "SAP",
             "services": [
                 "SAP",
-                "AKV",
-                "Monitor"
+                "Monitor",
+                "AKV"
             ],
             "severity": "Medium",
             "subcategory": "Security",
@@ -25721,7 +26713,7 @@
                 "Entra"
             ],
             "severity": "Low",
-            "text": "Ensure you have a Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants",
+            "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.",
             "waf": "Operations"
         },
         {
@@ -25732,8 +26724,9 @@
             "services": [
                 "WAF"
             ],
-            "severity": "Low",
-            "text": "Leverage Azure Lighthouse for Multi-Tenant Management",
+            "severity": "High",
+            "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.",
+            "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
             "waf": "Operations"
         },
         {
@@ -25744,21 +26737,20 @@
             "services": [
                 "WAF"
             ],
-            "severity": "Medium",
-            "text": "Ensure that Azure Lighthouse is used for administering the tenant by partner",
+            "severity": "High",
+            "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.",
             "waf": "Cost"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
             "guid": "348ef254-c27d-442e-abba-c7571559ab91",
             "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
             "service": "Entra",
             "services": [
-                "WAF",
-                "ACR",
                 "RBAC",
-                "Subscriptions"
+                "Subscriptions",
+                "ACR",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
@@ -25766,7 +26758,6 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
             "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
             "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
@@ -25799,17 +26790,16 @@
             "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
             "service": "Entra",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "Entra",
-                "AzurePolicy"
+                "Entra"
             ],
-            "severity": "Low",
-            "text": "Enforce Microsoft Entra ID conditional-access policies for any user with rights to Azure environments",
+            "severity": "High",
+            "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.",
             "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
             "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
             "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
@@ -25818,7 +26808,7 @@
                 "WAF"
             ],
             "severity": "High",
-            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments",
+            "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.",
             "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
             "waf": "Security"
         },
@@ -25832,21 +26822,21 @@
                 "Entra"
             ],
             "severity": "Medium",
-            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege",
+            "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.",
             "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
         {
             "checklist": "WAF checklist",
             "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
-            "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+            "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
             "service": "Entra",
             "services": [
                 "WAF",
                 "Entra"
             ],
             "severity": "Medium",
-            "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads",
+            "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.",
             "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
             "waf": "Security"
         },
@@ -25856,9 +26846,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
             "service": "Entra",
             "services": [
+                "Monitor",
                 "WAF",
-                "Entra",
-                "Monitor"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
@@ -25874,7 +26864,7 @@
                 "WAF"
             ],
             "severity": "High",
-            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout",
+            "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout.",
             "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
             "waf": "Security"
         },
@@ -25884,12 +26874,12 @@
             "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
             "service": "Entra",
             "services": [
+                "RBAC",
                 "WAF",
-                "Entra",
-                "RBAC"
+                "Entra"
             ],
             "severity": "Medium",
-            "text": "Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.",
+            "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.",
             "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
             "waf": "Security"
         },
@@ -25903,7 +26893,7 @@
                 "Entra"
             ],
             "severity": "Medium",
-            "text": "Where required, use Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications (hosted in the cloud or on-premises).",
+            "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.",
             "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
             "waf": "Security"
         },
@@ -25918,29 +26908,28 @@
                 "VNet"
             ],
             "severity": "Medium",
-            "text": "Leverage a network design based on the traditional hub-and-spoke network topology for network scenarios that require maximum flexibility.",
+            "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.",
             "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
             "service": "VNet",
             "services": [
-                "WAF",
                 "Firewall",
+                "VPN",
                 "VNet",
                 "NVA",
-                "ExpressRoute",
-                "VPN",
                 "DNS",
-                "Entra"
+                "Entra",
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "High",
-            "text": "Ensure that shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS servers.",
+            "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.",
             "waf": "Cost"
         },
         {
@@ -25950,11 +26939,11 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "VNet",
             "services": [
-                "WAF",
-                "DDoS"
+                "DDoS",
+                "WAF"
             ],
-            "severity": "Medium",
-            "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+            "severity": "High",
+            "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
@@ -25965,11 +26954,11 @@
             "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
             "service": "NVA",
             "services": [
-                "WAF",
-                "NVA"
+                "NVA",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance",
+            "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.",
             "waf": "Reliability"
         },
         {
@@ -25979,10 +26968,10 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ARS",
+                "ExpressRoute",
                 "VPN",
-                "ExpressRoute"
+                "WAF"
             ],
             "severity": "Low",
             "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
@@ -25996,9 +26985,9 @@
             "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
             "service": "ARS",
             "services": [
+                "ARS",
                 "WAF",
-                "VNet",
-                "ARS"
+                "VNet"
             ],
             "severity": "Low",
             "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
@@ -26011,8 +27000,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
             "service": "VNet",
             "services": [
-                "WAF",
                 "ACR",
+                "WAF",
                 "VNet"
             ],
             "severity": "Medium",
@@ -26027,8 +27016,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
             "service": "VNet",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
@@ -26043,13 +27032,12 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
             "service": "VNet",
             "services": [
+                "ExpressRoute",
                 "WAF",
-                "Entra",
-                "VNet",
-                "ExpressRoute"
+                "VNet"
             ],
             "severity": "Medium",
-            "text": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000)",
+            "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).",
             "waf": "Reliability"
         },
         {
@@ -26064,11 +27052,10 @@
                 "Storage"
             ],
             "severity": "Medium",
-            "text": "Consider the limit of routes per route table (400).",
+            "text": "Limit the number of routes per route table to 400.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
@@ -26080,7 +27067,7 @@
                 "VNet"
             ],
             "severity": "High",
-            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings",
+            "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.",
             "waf": "Reliability"
         },
         {
@@ -26090,8 +27077,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
@@ -26101,31 +27088,30 @@
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+            "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
-            "severity": "Low",
+            "severity": "Medium",
             "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
             "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "High",
-            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used",
+            "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.",
             "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Security"
         },
@@ -26139,13 +27125,12 @@
             "services": [
                 "WAF"
             ],
-            "severity": "Low",
+            "severity": "Medium",
             "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
             "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
@@ -26157,22 +27142,22 @@
                 "VNet"
             ],
             "severity": "High",
-            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16)",
+            "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).",
             "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Performance"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
             "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
             "service": "VNet",
             "services": [
+                "ASR",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+            "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.",
             "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
             "waf": "Reliability"
         },
@@ -26180,11 +27165,11 @@
             "arm-service": "Microsoft.Network/dnsZones",
             "checklist": "WAF checklist",
             "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
-            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+            "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
             "service": "DNS",
             "services": [
-                "WAF",
-                "DNS"
+                "DNS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
@@ -26198,12 +27183,12 @@
             "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
             "service": "DNS",
             "services": [
-                "WAF",
                 "DNS",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "For environments where name resolution across Azure and on-premises is required, consider using Azure DNS Private Resolver.",
+            "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.",
             "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
             "waf": "Security"
         },
@@ -26214,25 +27199,24 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
             "service": "DNS",
             "services": [
-                "WAF",
-                "DNS"
+                "DNS",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
             "waf": "Operations"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/dnsZones",
             "checklist": "WAF checklist",
             "guid": "614658d3-558f-4d77-849b-821112df27ee",
             "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
             "service": "DNS",
             "services": [
-                "WAF",
                 "DNS",
-                "VNet",
-                "VM"
+                "VM",
+                "WAF",
+                "VNet"
             ],
             "severity": "High",
             "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
@@ -26250,7 +27234,7 @@
                 "Bastion"
             ],
             "severity": "Medium",
-            "text": "Consider using Azure Bastion to securely connect to your network.",
+            "text": "Use Azure Bastion to securely connect to your network.",
             "waf": "Security"
         },
         {
@@ -26261,8 +27245,8 @@
             "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
             "service": "Bastion",
             "services": [
-                "WAF",
                 "Bastion",
+                "WAF",
                 "VNet"
             ],
             "severity": "Medium",
@@ -26276,9 +27260,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
             "service": "WAF",
             "services": [
-                "WAF",
                 "ACR",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -26293,10 +27277,10 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "WAF",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "FrontDoor",
-                "AppGW"
+                "WAF",
+                "FrontDoor"
             ],
             "severity": "Low",
             "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
@@ -26304,7 +27288,6 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
             "checklist": "WAF checklist",
             "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
@@ -26315,21 +27298,20 @@
                 "VNet"
             ],
             "severity": "High",
-            "text": "Deploy WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
+            "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
             "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
             "service": "VNet",
             "services": [
+                "DDoS",
                 "WAF",
-                "VNet",
-                "DDoS"
+                "VNet"
             ],
             "severity": "High",
             "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
@@ -26337,7 +27319,6 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
@@ -26347,37 +27328,53 @@
                 "WAF"
             ],
             "severity": "High",
-            "text": "Assess and review network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed",
+            "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/virtualNetworks",
             "checklist": "WAF checklist",
             "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
             "service": "VNet",
             "services": [
-                "WAF",
-                "DDoS"
+                "DDoS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
+        {
+            "arm-service": "Microsoft.Authorization/policyDefinitions",
+            "checklist": "WAF checklist",
+            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+            "service": "Policy",
+            "services": [
+                "VM",
+                "AzurePolicy",
+                "WAF"
+            ],
+            "severity": "High",
+            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines.  Use exclusions if public IPs are needed on specific VMs.",
+            "waf": "Security"
+        },
         {
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
-            "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "Backup",
+                "ExpressRoute",
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that you have investigated the possibility to use ExpressRoute as primary connection to Azure.",
+            "text": "Use ExpressRoute as the primary connection to Azure.  Use VPNs as a source of backup connectivity.",
             "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Performance"
         },
@@ -26389,11 +27386,11 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "When you use multiple ExpressRoute circuits, or multiple on-prem locations, make sure to optimize routing with BGP attributes, if certain paths are preferred.",
+            "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.",
             "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Reliability"
         },
@@ -26402,20 +27399,19 @@
             "checklist": "WAF checklist",
             "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
             "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
-            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+            "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
+            "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
             "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Performance"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
@@ -26423,8 +27419,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
+                "WAF",
                 "Cost"
             ],
             "severity": "High",
@@ -26432,7 +27428,6 @@
             "waf": "Cost"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
@@ -26440,12 +27435,12 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
+                "WAF",
                 "Cost"
             ],
             "severity": "High",
-            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU.",
+            "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.",
             "waf": "Cost"
         },
         {
@@ -26456,8 +27451,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
@@ -26471,8 +27466,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
@@ -26486,8 +27481,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
@@ -26502,8 +27497,8 @@
             "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
             "service": "VPN",
             "services": [
-                "WAF",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
@@ -26517,8 +27512,8 @@
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
             "service": "VPN",
             "services": [
-                "WAF",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
@@ -26526,19 +27521,18 @@
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
+                "WAF",
                 "Cost"
             ],
             "severity": "High",
-            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs",
+            "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.",
             "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Cost"
         },
@@ -26549,8 +27543,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
@@ -26564,9 +27558,9 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
@@ -26580,10 +27574,10 @@
             "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ACR",
+                "Monitor",
                 "NetworkWatcher",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
@@ -26595,11 +27589,11 @@
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
             "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
-            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits",
+            "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
@@ -26613,16 +27607,15 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
                 "ExpressRoute",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Use site-to-site VPN as failover of ExpressRoute, especially if only using a single ExpressRoute circuit.",
+            "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
@@ -26639,16 +27632,15 @@
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "guid": "d581a947-69a2-4783-942e-9df3664324c8",
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
+                "ExpressRoute",
                 "ACR",
-                "ExpressRoute"
+                "WAF"
             ],
             "severity": "High",
             "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
@@ -26661,8 +27653,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
@@ -26690,8 +27682,8 @@
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "High",
             "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
@@ -26705,10 +27697,10 @@
             "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "VNet",
+                "ExpressRoute",
                 "Monitor",
-                "ExpressRoute"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
@@ -26722,28 +27714,40 @@
             "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
             "service": "ExpressRoute",
             "services": [
+                "ExpressRoute",
                 "WAF",
-                "VNet",
-                "ExpressRoute"
+                "VNet"
             ],
             "severity": "Medium",
-            "text": "Avoid using ExpressRoute circuits for VNet-to-VNet communication.",
+            "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.",
             "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
             "waf": "Performance"
         },
         {
-            "ammp": true,
+            "checklist": "WAF checklist",
+            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "service": "N/A",
+            "services": [
+                "ACR",
+                "WAF"
+            ],
+            "severity": "Low",
+            "text": "Do not send Azure traffic to hybrid locations for inspection.  Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.",
+            "waf": "Performance"
+        },
+        {
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "link": "https://learn.microsoft.com/azure/firewall/overview",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "High",
-            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+            "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
@@ -26751,14 +27755,14 @@
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
-            "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+            "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
             "service": "Firewall",
             "services": [
-                "WAF",
                 "Firewall",
-                "RBAC",
+                "ACR",
                 "AzurePolicy",
-                "ACR"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
@@ -26772,8 +27776,8 @@
             "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
@@ -26781,7 +27785,6 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
@@ -26789,16 +27792,15 @@
             "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
             "service": "Firewall",
             "services": [
+                "Firewall",
                 "WAF",
-                "DNS",
-                "Firewall"
+                "DNS"
             ],
             "severity": "High",
-            "text": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules.",
+            "text": "Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
@@ -26806,31 +27808,29 @@
             "link": "https://learn.microsoft.com/azure/firewall/premium-features",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "High",
-            "text": "Use Azure Firewall Premium for additional security and protection.",
+            "text": "Use Azure Firewall Premium to enable additional security features.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
             "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
-            "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+            "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "High",
             "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
@@ -26838,15 +27838,14 @@
             "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "High",
             "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
@@ -26854,27 +27853,26 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
             "service": "Firewall",
             "services": [
-                "WAF",
                 "Firewall",
                 "VNet",
                 "NVA",
                 "Storage",
-                "VWAN"
+                "VWAN",
+                "WAF"
             ],
             "severity": "High",
-            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance",
+            "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
             "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
             "service": "Firewall",
             "services": [
-                "WAF",
                 "Firewall",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -26883,16 +27881,15 @@
             "waf": "Operations"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
             "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
             "service": "Firewall",
             "services": [
-                "WAF",
                 "Firewall",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Important",
             "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
@@ -26900,7 +27897,6 @@
             "waf": "Operations"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
@@ -26908,8 +27904,8 @@
             "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
             "service": "Firewall",
             "services": [
-                "WAF",
                 "Firewall",
+                "WAF",
                 "VNet"
             ],
             "severity": "High",
@@ -26923,11 +27919,11 @@
             "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use",
+            "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.",
             "waf": "Performance"
         },
         {
@@ -26941,7 +27937,7 @@
                 "Storage"
             ],
             "severity": "Medium",
-            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules",
+            "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.",
             "waf": "Performance"
         },
         {
@@ -26954,18 +27950,18 @@
                 "WAF"
             ],
             "severity": "Medium",
-            "text": "Avoid wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs",
+            "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.",
             "waf": "Performance"
         },
         {
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
-            "link": "https://learn.microsoft.com/azure/nat-gateway/tutorial-hub-spoke-nat-firewall",
+            "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
@@ -26978,10 +27974,11 @@
             "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
             "service": "Firewall",
             "services": [
+                "Firewall",
                 "WAF"
             ],
             "severity": "High",
-            "text": "Enable TLS Inspection",
+            "text": "If you are using Azure Firewall Premium, enable TLS Inspection.",
             "waf": "Performance"
         },
         {
@@ -27018,27 +28015,12 @@
             "link": "https://learn.microsoft.com/azure/firewall/dns-details",
             "service": "Firewall",
             "services": [
+                "Firewall",
                 "WAF",
-                "DNS",
-                "Firewall"
-            ],
-            "severity": "Medium",
-            "text": "Enable Azure Firewall DNS proxy configuration ",
-            "waf": "Security"
-        },
-        {
-            "arm-service": "Microsoft.Network/azureFirewalls",
-            "checklist": "WAF checklist",
-            "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
-            "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
-            "service": "Firewall",
-            "services": [
-                "WAF",
-                "AzurePolicy",
-                "VM"
+                "DNS"
             ],
             "severity": "Medium",
-            "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines",
+            "text": "Enable Azure Firewall DNS proxy configuration.",
             "waf": "Security"
         },
         {
@@ -27048,11 +28030,11 @@
             "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
             "service": "Firewall",
             "services": [
-                "WAF",
                 "Firewall",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
-            "severity": "Low",
+            "severity": "High",
             "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
             "waf": "Operations"
         },
@@ -27063,15 +28045,14 @@
             "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Implement backups for your firewall rules",
             "waf": "Operations"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/applicationGateways",
             "checklist": "WAF checklist",
             "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
@@ -27082,7 +28063,7 @@
                 "VNet"
             ],
             "severity": "High",
-            "text": "Ensure that control-plane communication for Azure PaaS services injected into a virtual network is not broken, for example with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
+            "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
             "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Security"
         },
@@ -27090,12 +28071,12 @@
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
+                "PrivateLink",
                 "ExpressRoute",
-                "PrivateLink"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
@@ -27107,13 +28088,13 @@
             "checklist": "WAF checklist",
             "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
             "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
             "service": "VNet",
             "services": [
                 "WAF",
                 "VNet"
             ],
-            "severity": "Medium",
+            "severity": "High",
             "text": "Don't enable virtual network service endpoints by default on all subnets.",
             "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
             "waf": "Security"
@@ -27122,14 +28103,14 @@
             "arm-service": "Microsoft.Network/azureFirewalls",
             "checklist": "WAF checklist",
             "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
-            "link": "https://learn.microsoft.com/azure/app-service/networking-features",
+            "link": "azure/private-link/inspect-traffic-with-azure-firewall",
             "service": "Firewall",
             "services": [
-                "WAF",
-                "PrivateLink",
                 "Firewall",
+                "PrivateLink",
                 "NVA",
-                "DNS"
+                "DNS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
@@ -27137,7 +28118,6 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/expressRouteCircuits",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
@@ -27145,13 +28125,13 @@
             "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
             "service": "ExpressRoute",
             "services": [
-                "WAF",
-                "VNet",
+                "ExpressRoute",
                 "VPN",
-                "ExpressRoute"
+                "WAF",
+                "VNet"
             ],
             "severity": "High",
-            "text": "Use at least a /27 prefix for your Gateway subnets",
+            "text": "Use at least a /27 prefix for your Gateway subnets.",
             "waf": "Security"
         },
         {
@@ -27165,7 +28145,7 @@
                 "WAF",
                 "VNet"
             ],
-            "severity": "Medium",
+            "severity": "High",
             "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
             "waf": "Security"
         },
@@ -27176,8 +28156,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
             "service": "NSG",
             "services": [
-                "WAF",
                 "ACR",
+                "WAF",
                 "VNet"
             ],
             "severity": "Medium",
@@ -27185,22 +28165,6 @@
             "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
             "waf": "Security"
         },
-        {
-            "arm-service": "Microsoft.Network/networkSecurityGroups",
-            "checklist": "WAF checklist",
-            "graph": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)",
-            "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563",
-            "service": "NSG",
-            "services": [
-                "WAF",
-                "VNet",
-                "VM"
-            ],
-            "severity": "Medium",
-            "text": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone.",
-            "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
-            "waf": "Security"
-        },
         {
             "arm-service": "Microsoft.Network/networkSecurityGroups",
             "checklist": "WAF checklist",
@@ -27208,10 +28172,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
             "service": "NSG",
             "services": [
+                "NVA",
                 "WAF",
-                "Entra",
                 "VNet",
-                "NVA"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
@@ -27222,12 +28186,12 @@
             "arm-service": "Microsoft.Network/networkSecurityGroups",
             "checklist": "WAF checklist",
             "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
-            "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+            "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
             "service": "NSG",
             "services": [
+                "NetworkWatcher",
                 "WAF",
-                "VNet",
-                "NetworkWatcher"
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
@@ -27246,7 +28210,7 @@
                 "VNet"
             ],
             "severity": "Medium",
-            "text": "Consider the limit of NSG rules per NSG (1000).",
+            "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.",
             "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
             "waf": "Reliability"
         },
@@ -27257,11 +28221,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
             "service": "VWAN",
             "services": [
-                "WAF",
-                "VWAN"
+                "VWAN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Consider Virtual WAN for simplified Azure networking management, and make sure your scenario is explicitly described in the list of Virtual WAN routing designs",
+            "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.",
             "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
             "waf": "Operations"
         },
@@ -27269,44 +28233,30 @@
             "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
             "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
             "service": "VWAN",
             "services": [
-                "WAF",
                 "VWAN",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
             "waf": "Performance"
         },
-        {
-            "arm-service": "microsoft.network/virtualWans",
-            "checklist": "WAF checklist",
-            "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
-            "service": "VWAN",
-            "services": [
-                "WAF",
-                "ACR"
-            ],
-            "severity": "Low",
-            "text": "Follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network",
-            "waf": "Performance"
-        },
         {
             "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
             "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
             "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
-            "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
             "service": "VWAN",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs",
+            "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"
         },
@@ -27314,14 +28264,14 @@
             "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
             "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
-            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+            "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
             "service": "VWAN",
             "services": [
-                "WAF",
-                "VWAN"
+                "VWAN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Ensure that the network architecture is within the Azure Virtual WAN limits.",
+            "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.",
             "waf": "Reliability"
         },
         {
@@ -27331,9 +28281,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
             "service": "VWAN",
             "services": [
-                "WAF",
                 "VWAN",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
@@ -27346,11 +28296,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
             "service": "VWAN",
             "services": [
-                "WAF",
-                "VWAN"
+                "VWAN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Make sure that your IaC deployments does not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
+            "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
             "waf": "Reliability"
         },
         {
@@ -27360,9 +28310,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
             "service": "VWAN",
             "services": [
-                "WAF",
                 "ExpressRoute",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
@@ -27375,15 +28325,14 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
             "service": "VWAN",
             "services": [
-                "WAF",
-                "VWAN"
+                "VWAN",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Make sure that your IaC deployments are configuring label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
+            "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "microsoft.network/virtualWans",
             "checklist": "WAF checklist",
             "guid": "9c75dfef-573c-461c-a698-68598595581a",
@@ -27393,19 +28342,18 @@
                 "WAF"
             ],
             "severity": "High",
-            "text": "Assign enough IP space to virtual hubs, ideally a /23 prefix.",
+            "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.",
             "waf": "Reliability"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Authorization/policyDefinitions",
             "checklist": "WAF checklist",
             "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "High",
             "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
@@ -27418,9 +28366,9 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "WAF",
                 "RBAC",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
@@ -27433,12 +28381,12 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "WAF",
+                "Subscriptions",
                 "AzurePolicy",
-                "Subscriptions"
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes",
+            "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.",
             "waf": "Security"
         },
         {
@@ -27448,10 +28396,10 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Medium",
+            "severity": "High",
             "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
             "waf": "Security"
         },
@@ -27462,12 +28410,12 @@
             "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
             "service": "Policy",
             "services": [
-                "WAF",
+                "Subscriptions",
                 "AzurePolicy",
-                "Subscriptions"
+                "WAF"
             ],
             "severity": "Low",
-            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level",
+            "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.",
             "waf": "Security"
         },
         {
@@ -27477,10 +28425,10 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
-            "severity": "Medium",
+            "severity": "High",
             "text": "Use built-in policies where possible to minimize operational overhead.",
             "waf": "Security"
         },
@@ -27492,11 +28440,11 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
             "service": "Policy",
             "services": [
-                "WAF",
                 "Subscriptions",
-                "RBAC",
                 "AzurePolicy",
-                "Entra"
+                "Entra",
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
@@ -27509,9 +28457,9 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "Policy",
             "services": [
-                "WAF",
+                "Subscriptions",
                 "AzurePolicy",
-                "Subscriptions"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
@@ -27524,11 +28472,11 @@
             "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "If any data sovereignty requirements exist, Azure Policies can be deployed to enforce them",
+            "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.",
             "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
             "waf": "Security"
         },
@@ -27539,11 +28487,12 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "Subscriptions",
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, sovereignty policy baseline' policy initiative is deployed and and assigned at correct MG level.",
+            "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.",
             "waf": "Security"
         },
         {
@@ -27553,24 +28502,25 @@
             "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, sovereign Control objectives to policy mapping' is documented.",
+            "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.",
             "waf": "Security"
         },
         {
             "arm-service": "Microsoft.Authorization/policyDefinitions",
             "checklist": "WAF checklist",
             "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+            "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
             "service": "Policy",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, process is in place for CRUD of 'Sovereign Control objectives to policy mapping'.",
+            "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.",
             "waf": "Security"
         },
         {
@@ -27580,11 +28530,11 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "service": "Monitor",
             "services": [
-                "WAF",
+                "AzurePolicy",
                 "Monitor",
+                "Entra",
                 "RBAC",
-                "AzurePolicy",
-                "Entra"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
@@ -27598,12 +28548,12 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
             "service": "Monitor",
             "services": [
-                "WAF",
                 "ARS",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
-            "severity": "Medium",
+            "severity": "High",
             "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
             "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
             "waf": "Operations"
@@ -27615,10 +28565,10 @@
             "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
             "service": "VM",
             "services": [
-                "WAF",
+                "Monitor",
                 "AzurePolicy",
-                "VM",
-                "Monitor"
+                "WAF",
+                "VM"
             ],
             "severity": "Medium",
             "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
@@ -27629,11 +28579,11 @@
             "arm-service": "Microsoft.Compute/virtualMachines",
             "checklist": "WAF checklist",
             "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
-            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
@@ -27647,8 +28597,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
@@ -27662,12 +28612,12 @@
             "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
             "service": "Network Watcher",
             "services": [
-                "WAF",
+                "Monitor",
                 "NetworkWatcher",
-                "Monitor"
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Network Watcher to proactively monitor traffic flows",
+            "text": "Use Network Watcher to proactively monitor traffic flows.",
             "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
             "waf": "Operations"
         },
@@ -27678,8 +28628,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
             "service": "Monitor",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Monitor Logs for insights and reporting.",
@@ -27692,8 +28642,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
             "service": "Monitor",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Monitor alerts for the generation of operational alerts.",
@@ -27706,8 +28656,8 @@
             "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
             "service": "Monitor",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
@@ -27720,11 +28670,11 @@
             "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
             "service": "Backup",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
-            "severity": "Medium",
-            "text": "When using Azure Backup, consider the different backup types (GRS, ZRS & LRS) as the default setting is GRS",
+            "severity": "Low",
+            "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.",
             "waf": "Reliability"
         },
         {
@@ -27734,26 +28684,26 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
             "service": "VM",
             "services": [
-                "WAF",
+                "VM",
                 "AzurePolicy",
-                "VM"
+                "WAF"
             ],
             "severity": "Medium",
-            "text": "Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
+            "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
             "waf": "Security"
         },
         {
             "arm-service": "Microsoft.Compute/virtualMachines",
             "checklist": "WAF checklist",
-            "description": "Azure Policy's guest configuration features can audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
+            "description": "Use Azure Policy's guest configuration features  to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
             "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
             "service": "VM",
             "services": [
-                "WAF",
+                "Monitor",
                 "AzurePolicy",
-                "VM",
-                "Monitor"
+                "WAF",
+                "VM"
             ],
             "severity": "Medium",
             "text": "Monitor VM security configuration drift via Azure Policy.",
@@ -27766,9 +28716,9 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
             "service": "VM",
             "services": [
-                "WAF",
-                "ACR",
                 "ASR",
+                "ACR",
+                "WAF",
                 "VM"
             ],
             "severity": "Medium",
@@ -27782,70 +28732,23 @@
             "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
             "service": "Backup",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
             "waf": "Operations"
         },
         {
-            "ammp": true,
-            "arm-service": "Microsoft.Compute/virtualMachines",
-            "checklist": "WAF checklist",
-            "guid": "826c5c45-bb79-4951-a812-e3bfbfd7326b",
-            "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
-            "service": "VM",
-            "services": [
-                "WAF",
-                "VM"
-            ],
-            "severity": "High",
-            "text": "Leverage Availability Zones for your VMs in regions where they are supported.",
-            "waf": "Reliability"
-        },
-        {
-            "ammp": true,
-            "arm-service": "Microsoft.Compute/virtualMachines",
-            "checklist": "WAF checklist",
-            "guid": "7ccb7c06-5511-42df-8177-d97f08d0337d",
-            "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
-            "service": "VM",
-            "services": [
-                "WAF",
-                "VM"
-            ],
-            "severity": "High",
-            "text": "Avoid running a production workload on a single VM.",
-            "waf": "Reliability"
-        },
-        {
-            "arm-service": "Microsoft.Compute/virtualMachines",
-            "checklist": "WAF checklist",
-            "guid": "84101f59-1941-4195-a270-e28034290e3a",
-            "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
-            "service": "VM",
-            "services": [
-                "WAF",
-                "ACR",
-                "LoadBalancer",
-                "AppGW"
-            ],
-            "severity": "Medium",
-            "text": "Azure Load Balancer and Application Gateway distribute incoming network traffic across multiple resources.",
-            "waf": "Reliability"
-        },
-        {
-            "ammp": true,
             "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
             "checklist": "WAF checklist",
             "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
             "service": "WAF",
             "services": [
+                "AppGW",
                 "WAF",
-                "FrontDoor",
-                "AppGW"
+                "FrontDoor"
             ],
             "severity": "High",
             "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
@@ -27858,17 +28761,16 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
             "service": "WAF",
             "services": [
-                "WAF",
-                "FrontDoor",
                 "AppGW",
-                "Sentinel"
+                "WAF",
+                "Sentinel",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
             "waf": "Operations"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.KeyVault/vaults",
             "checklist": "WAF checklist",
             "guid": "5017f154-e3ab-4369-9829-e7e316183687",
@@ -27879,7 +28781,7 @@
                 "AKV"
             ],
             "severity": "High",
-            "text": "Use Azure Key Vault to store your secrets and credentials",
+            "text": "Use Azure Key Vault to store your secrets and credentials.",
             "waf": "Security"
         },
         {
@@ -27904,9 +28806,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKV",
-                "AzurePolicy"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
@@ -27919,9 +28821,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
+                "RBAC",
                 "WAF",
                 "AKV",
-                "RBAC",
                 "Entra"
             ],
             "severity": "Medium",
@@ -27961,10 +28863,10 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "WAF",
-                "AKV",
+                "PrivateLink",
                 "VNet",
-                "PrivateLink"
+                "WAF",
+                "AKV"
             ],
             "severity": "Medium",
             "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
@@ -27977,9 +28879,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
             "service": "Key Vault",
             "services": [
+                "Monitor",
                 "WAF",
                 "AKV",
-                "Monitor",
                 "Entra"
             ],
             "severity": "Medium",
@@ -27993,9 +28895,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKV",
-                "AzurePolicy"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
@@ -28022,9 +28924,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
-                "WAF",
-                "ACR",
                 "ASR",
+                "ACR",
+                "WAF",
                 "AKV"
             ],
             "severity": "Medium",
@@ -28059,52 +28961,48 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
             "guid": "09945bda-4333-44f2-9911-634182ba5275",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
             "service": "Defender",
             "services": [
-                "WAF",
+                "Defender",
                 "Subscriptions",
-                "Defender"
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
             "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
             "service": "Defender",
             "services": [
-                "WAF",
+                "Defender",
                 "Subscriptions",
-                "Defender"
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "checklist": "WAF checklist",
             "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
             "service": "Defender",
             "services": [
-                "WAF",
+                "Defender",
                 "Subscriptions",
-                "Defender"
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Compute/virtualMachines",
             "checklist": "WAF checklist",
             "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
@@ -28124,9 +29022,9 @@
             "link": "https://learn.microsoft.com/azure/security-center/",
             "service": "VM",
             "services": [
-                "WAF",
+                "Defender",
                 "Monitor",
-                "Defender"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
@@ -28139,9 +29037,9 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "service": "Monitor",
             "services": [
+                "Monitor",
                 "WAF",
-                "Entra",
-                "Monitor"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
@@ -28157,7 +29055,7 @@
                 "Entra"
             ],
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, transparency logs is enabled on the Entra ID tenant.",
+            "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.",
             "waf": "Security"
         },
         {
@@ -28170,11 +29068,10 @@
                 "Entra"
             ],
             "severity": "Medium",
-            "text": "For Sovereign Landing Zone, customer Lockbox is enabled on the Entra ID tenant.",
+            "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Storage/storageAccounts",
             "checklist": "WAF checklist",
             "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
@@ -28185,11 +29082,10 @@
                 "Storage"
             ],
             "severity": "High",
-            "text": "Secure transfer to storage accounts should be enabled",
+            "text": "Enable secure transfer to storage accounts.",
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.Storage/storageAccounts",
             "checklist": "WAF checklist",
             "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
@@ -28204,16 +29100,15 @@
             "waf": "Security"
         },
         {
-            "ammp": true,
             "arm-service": "Microsoft.KeyVault/vaults",
             "checklist": "WAF checklist",
             "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
             "service": "Key Vault",
             "services": [
+                "VM",
                 "WAF",
-                "AKV",
-                "VM"
+                "AKV"
             ],
             "severity": "High",
             "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
@@ -28226,8 +29121,8 @@
             "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
             "service": "Redis",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
@@ -28268,8 +29163,8 @@
             "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
             "service": "Redis",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
@@ -28360,8 +29255,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
             "service": "App Services",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
@@ -28400,8 +29295,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
             "service": "App Services",
             "services": [
-                "WAF",
                 "Backup",
+                "WAF",
                 "AppSvc"
             ],
             "severity": "High",
@@ -28471,9 +29366,9 @@
             "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
             "service": "App Services",
             "services": [
+                "Monitor",
                 "WAF",
-                "AppSvc",
-                "Monitor"
+                "AppSvc"
             ],
             "severity": "Medium",
             "text": "Monitor App Service instances using Health checks",
@@ -28486,8 +29381,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
             "service": "App Services",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
@@ -28500,8 +29395,8 @@
             "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
             "service": "App Services",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
@@ -28531,9 +29426,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
             "service": "App Services",
             "services": [
+                "AppSvc",
                 "WAF",
                 "AKV",
-                "AppSvc",
                 "Entra"
             ],
             "severity": "High",
@@ -28564,9 +29459,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
             "service": "App Services",
             "services": [
+                "Subscriptions",
                 "WAF",
-                "AppSvc",
-                "Subscriptions"
+                "AppSvc"
             ],
             "severity": "Medium",
             "text": "Isolate systems that process sensitive information",
@@ -28580,8 +29475,8 @@
             "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
             "service": "App Services",
             "services": [
-                "WAF",
                 "TrafficManager",
+                "WAF",
                 "AppSvc"
             ],
             "severity": "Medium",
@@ -28596,9 +29491,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
             "service": "App Services",
             "services": [
+                "AppSvc",
                 "WAF",
-                "Entra",
-                "AppSvc"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Use an established Identity Provider for authentication",
@@ -28643,8 +29538,8 @@
             "service": "App Services",
             "services": [
                 "WAF",
-                "Entra",
-                "AKV"
+                "AKV",
+                "Entra"
             ],
             "severity": "High",
             "text": "Use Managed Identity to connect to resources",
@@ -28658,9 +29553,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
             "service": "App Services",
             "services": [
+                "ACR",
                 "WAF",
-                "Entra",
-                "ACR"
+                "Entra"
             ],
             "severity": "High",
             "text": "Pull containers using a Managed Identity",
@@ -28674,10 +29569,10 @@
             "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
             "service": "App Services",
             "services": [
-                "WAF",
                 "Entra",
-                "AppSvc",
-                "Monitor"
+                "Monitor",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
             "text": "Send App Service runtime logs to Log Analytics",
@@ -28691,10 +29586,10 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
             "service": "App Services",
             "services": [
-                "WAF",
                 "Entra",
-                "AppSvc",
-                "Monitor"
+                "Monitor",
+                "WAF",
+                "AppSvc"
             ],
             "severity": "Medium",
             "text": "Send App Service activity logs to Log Analytics",
@@ -28708,11 +29603,11 @@
             "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
             "service": "App Services",
             "services": [
-                "WAF",
                 "Firewall",
-                "Monitor",
                 "VNet",
-                "NVA"
+                "NVA",
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Outbound network access should be controlled",
@@ -28726,12 +29621,12 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
             "service": "App Services",
             "services": [
-                "WAF",
                 "Firewall",
-                "PrivateLink",
                 "VNet",
+                "PrivateLink",
                 "NVA",
-                "Storage"
+                "Storage",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Ensure a stable IP for outbound communications towards internet addresses",
@@ -28745,9 +29640,9 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
             "service": "App Services",
             "services": [
+                "PrivateLink",
                 "WAF",
-                "AppSvc",
-                "PrivateLink"
+                "AppSvc"
             ],
             "severity": "High",
             "text": "Inbound network access should be controlled",
@@ -28761,10 +29656,10 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
             "service": "App Services",
             "services": [
-                "WAF",
+                "AppSvc",
                 "Monitor",
                 "AppGW",
-                "AppSvc",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -28779,8 +29674,8 @@
             "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
             "service": "App Services",
             "services": [
-                "WAF",
-                "PrivateLink"
+                "PrivateLink",
+                "WAF"
             ],
             "severity": "High",
             "text": "Avoid for WAF to be bypassed",
@@ -28795,8 +29690,8 @@
             "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
             "service": "App Services",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "AppSvc"
             ],
             "severity": "Medium",
@@ -28857,9 +29752,9 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
             "service": "App Services",
             "services": [
+                "Defender",
                 "WAF",
-                "AppSvc",
-                "Defender"
+                "AppSvc"
             ],
             "severity": "Medium",
             "text": "Enable Defender for Cloud - Defender for App Service",
@@ -28873,12 +29768,12 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "App Services",
             "services": [
-                "WAF",
+                "DDoS",
+                "VNet",
+                "NVA",
                 "EventHubs",
                 "AppGW",
-                "VNet",
-                "DDoS",
-                "NVA"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Enable DDOS Protection Standard on the WAF VNet",
@@ -28892,10 +29787,10 @@
             "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
             "service": "App Services",
             "services": [
-                "WAF",
+                "PrivateLink",
                 "ACR",
-                "VNet",
-                "PrivateLink"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Pull containers over a Virtual Network",
@@ -28949,9 +29844,9 @@
             "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
             "service": "AVS",
             "services": [
+                "Subscriptions",
                 "WAF",
-                "Entra",
-                "Subscriptions"
+                "Entra"
             ],
             "severity": "High",
             "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
@@ -28963,8 +29858,8 @@
             "guid": "75089c20-990d-4927-b105-885576f76fc2",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
@@ -29025,9 +29920,9 @@
             "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
             "service": "AVS",
             "services": [
-                "WAF",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Has an RBAC model been created for use within VMware vSphere",
@@ -29039,8 +29934,8 @@
             "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
             "service": "AVS",
             "services": [
-                "WAF",
-                "RBAC"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
@@ -29052,9 +29947,9 @@
             "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
             "service": "AVS",
             "services": [
-                "WAF",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
@@ -29066,8 +29961,8 @@
             "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
             "service": "AVS",
             "services": [
-                "WAF",
-                "RBAC"
+                "RBAC",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
@@ -29080,8 +29975,8 @@
             "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
@@ -29093,11 +29988,11 @@
             "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Monitor",
                 "NetworkWatcher",
+                "VPN",
+                "Monitor",
                 "ExpressRoute",
-                "VPN"
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
@@ -29109,12 +30004,12 @@
             "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Monitor",
-                "NetworkWatcher",
                 "ExpressRoute",
+                "Monitor",
                 "VM",
-                "AVS"
+                "NetworkWatcher",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
@@ -29126,11 +30021,11 @@
             "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Monitor",
-                "NetworkWatcher",
                 "VM",
-                "AVS"
+                "NetworkWatcher",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
@@ -29142,8 +30037,8 @@
             "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ARS"
+                "ARS",
+                "WAF"
             ],
             "severity": "High",
             "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
@@ -29155,10 +30050,10 @@
             "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
@@ -29170,10 +30065,10 @@
             "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Entra",
                 "RBAC",
-                "AVS"
+                "AVS",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
@@ -29185,9 +30080,9 @@
             "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
             "service": "AVS",
             "services": [
+                "AVS",
                 "WAF",
-                "Entra",
-                "AVS"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
@@ -29211,8 +30106,8 @@
             "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
             "service": "AVS",
             "services": [
-                "WAF",
-                "RBAC"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
@@ -29236,10 +30131,10 @@
             "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Entra",
                 "VM",
-                "AVS"
+                "AVS",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
@@ -29263,10 +30158,10 @@
             "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Firewall",
                 "AppGW",
-                "AVS"
+                "Firewall",
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
@@ -29278,8 +30173,8 @@
             "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
@@ -29291,9 +30186,9 @@
             "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
@@ -29305,11 +30200,11 @@
             "guid": "334fdf91-c234-4182-a652-75269440b4be",
             "service": "AVS",
             "services": [
-                "WAF",
-                "VNet",
+                "VPN",
                 "DDoS",
+                "VNet",
                 "ExpressRoute",
-                "VPN"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
@@ -29321,8 +30216,8 @@
             "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
@@ -29334,9 +30229,9 @@
             "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Defender",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
@@ -29348,9 +30243,9 @@
             "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Arc",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
@@ -29362,9 +30257,9 @@
             "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
             "service": "AVS",
             "services": [
-                "WAF",
                 "SQL",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
@@ -29389,8 +30284,8 @@
             "guid": "5ac94222-3e13-4810-9230-81a941741583",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
@@ -29414,8 +30309,8 @@
             "guid": "d88408f3-7273-44c8-96ba-280214590146",
             "service": "AVS",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -29428,8 +30323,8 @@
             "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
@@ -29453,8 +30348,8 @@
             "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
@@ -29466,9 +30361,9 @@
             "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
             "service": "AVS",
             "services": [
+                "AVS",
                 "WAF",
-                "Cost",
-                "AVS"
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
@@ -29480,9 +30375,9 @@
             "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
             "service": "AVS",
             "services": [
+                "AVS",
                 "WAF",
-                "Cost",
-                "AVS"
+                "Cost"
             ],
             "severity": "Low",
             "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
@@ -29518,10 +30413,10 @@
             "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
             "service": "AVS",
             "services": [
-                "WAF",
-                "VM",
                 "Defender",
-                "AVS"
+                "VM",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
@@ -29533,10 +30428,10 @@
             "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
             "service": "AVS",
             "services": [
-                "WAF",
-                "VM",
                 "Arc",
-                "AVS"
+                "VM",
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
@@ -29548,8 +30443,8 @@
             "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
@@ -29561,10 +30456,10 @@
             "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
             "service": "AVS",
             "services": [
-                "WAF",
-                "VM",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF",
+                "VM"
             ],
             "severity": "Medium",
             "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
@@ -29576,11 +30471,11 @@
             "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Backup",
                 "AzurePolicy",
                 "VM",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
@@ -29592,10 +30487,10 @@
             "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS",
+                "Defender",
                 "Monitor",
-                "Defender"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
@@ -29607,8 +30502,8 @@
             "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Defender"
+                "Defender",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
@@ -29620,8 +30515,8 @@
             "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
@@ -29657,9 +30552,9 @@
             "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
@@ -29671,9 +30566,9 @@
             "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
@@ -29685,9 +30580,9 @@
             "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
@@ -29699,8 +30594,8 @@
             "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
@@ -29712,9 +30607,9 @@
             "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
             "service": "AVS",
             "services": [
+                "AVS",
                 "WAF",
-                "Storage",
-                "AVS"
+                "Storage"
             ],
             "severity": "Medium",
             "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
@@ -29726,8 +30621,8 @@
             "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Low",
             "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
@@ -29739,9 +30634,9 @@
             "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AzurePolicy",
                 "VM",
+                "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -29766,8 +30661,8 @@
             "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Backup",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -29780,9 +30675,9 @@
             "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Arc",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
@@ -29794,9 +30689,9 @@
             "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
@@ -29808,8 +30703,8 @@
             "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
@@ -29821,10 +30716,10 @@
             "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AzurePolicy",
                 "Monitor",
-                "AVS"
+                "AVS",
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
@@ -29836,9 +30731,9 @@
             "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Defender",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
@@ -29850,8 +30745,8 @@
             "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
@@ -29875,8 +30770,8 @@
             "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
@@ -29900,8 +30795,8 @@
             "guid": "8255461e-2aee-4345-9aec-8339248b262d",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
@@ -29925,10 +30820,10 @@
             "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
             "service": "AVS",
             "services": [
-                "WAF",
                 "ExpressRoute",
                 "NVA",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
@@ -29940,8 +30835,8 @@
             "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
@@ -29953,9 +30848,9 @@
             "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Backup",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
@@ -29967,8 +30862,8 @@
             "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy your backup solution outside of vSan, on Azure native components",
@@ -29980,8 +30875,8 @@
             "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
@@ -30005,8 +30900,8 @@
             "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Low",
             "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
@@ -30042,8 +30937,8 @@
             "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Low",
             "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
@@ -30068,10 +30963,10 @@
             "guid": "255461e2-aee3-4553-afc8-339248b262d6",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AKV",
                 "ExpressRoute",
-                "AVS"
+                "AVS",
+                "WAF",
+                "AKV"
             ],
             "severity": "Low",
             "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
@@ -30083,8 +30978,8 @@
             "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
             "service": "AVS",
             "services": [
-                "WAF",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
@@ -30108,9 +31003,9 @@
             "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
             "service": "AVS",
             "services": [
-                "WAF",
                 "Subscriptions",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
@@ -30122,8 +31017,8 @@
             "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
             "service": "AVS",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -30172,8 +31067,8 @@
             "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
             "service": "AVS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
@@ -30186,8 +31081,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
             "service": "AVS",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
             "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
@@ -30214,8 +31109,8 @@
             "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
             "service": "AVS",
             "services": [
-                "WAF",
-                "VPN"
+                "VPN",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
@@ -30252,10 +31147,10 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
             "service": "AVS",
             "services": [
-                "WAF",
                 "VM",
-                "Storage",
-                "AVS"
+                "AVS",
+                "WAF",
+                "Storage"
             ],
             "severity": "Medium",
             "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
@@ -30268,8 +31163,8 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
             "service": "AVS",
             "services": [
-                "WAF",
                 "ExpressRoute",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -30283,8 +31178,8 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
             "service": "AVS",
             "services": [
-                "WAF",
                 "ExpressRoute",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -30298,8 +31193,8 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "High",
             "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
@@ -30325,8 +31220,8 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "High",
             "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
@@ -30339,8 +31234,8 @@
             "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
             "service": "AVS",
             "services": [
-                "WAF",
-                "ExpressRoute"
+                "ExpressRoute",
+                "WAF"
             ],
             "severity": "High",
             "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
@@ -30405,8 +31300,8 @@
             "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
             "service": "Cognitive Search",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
@@ -30419,8 +31314,8 @@
             "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
             "service": "Cognitive Search",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
@@ -30433,8 +31328,8 @@
             "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
             "service": "Cognitive Search",
             "services": [
-                "WAF",
-                "TrafficManager"
+                "TrafficManager",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Traffic Manager to coordinate requests",
@@ -30447,8 +31342,8 @@
             "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
             "service": "Cognitive Search",
             "services": [
-                "WAF",
                 "Backup",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -30488,8 +31383,8 @@
             "link": "https://learn.microsoft.com/azure/data-factory/source-control",
             "service": "Azure Data Factory",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
@@ -30502,8 +31397,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
             "service": "Azure Data Factory",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
@@ -30547,8 +31442,8 @@
             "service": "Azure Data Explorer",
             "services": [
                 "WAF",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "text": "Leverage External Tables and Continuous data export overview to reduce costs",
             "waf": "Reliability"
@@ -30575,8 +31470,8 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
             "service": "Azure Data Explorer",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
             "waf": "Reliability"
@@ -30588,8 +31483,8 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
             "service": "Azure Data Explorer",
             "services": [
-                "WAF",
                 "RBAC",
+                "WAF",
                 "Storage"
             ],
             "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
@@ -30615,8 +31510,8 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
             "service": "Azure Data Explorer",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
             "waf": "Reliability"
@@ -30629,8 +31524,8 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
             "service": "Azure Data Explorer",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "text": "For critical applications, create Active-Active configuration in two paired regions",
             "waf": "Reliability"
@@ -30656,11 +31551,11 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
             "service": "Azure Data Explorer",
             "services": [
-                "WAF",
-                "Cost",
+                "AzurePolicy",
                 "Storage",
                 "ASR",
-                "AzurePolicy"
+                "WAF",
+                "Cost"
             ],
             "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
             "waf": "Reliability"
@@ -30673,8 +31568,8 @@
             "link": "https://learn.microsoft.com/azure/data-explorer/devops",
             "service": "Azure Data Explorer",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "text": "Wrap DevOps and source control around all your code",
             "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
@@ -30713,9 +31608,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "service": "Key Vault",
             "services": [
+                "Backup",
                 "WAF",
-                "AKV",
-                "Backup"
+                "AKV"
             ],
             "severity": "High",
             "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
@@ -30728,8 +31623,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
             "service": "Key Vault",
             "services": [
-                "WAF",
                 "ACR",
+                "WAF",
                 "AKV"
             ],
             "severity": "Medium",
@@ -30757,9 +31652,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
             "service": "Key Vault",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKV",
-                "AzurePolicy"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
@@ -30772,11 +31667,11 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
             "service": "Key Vault",
             "services": [
-                "WAF",
-                "AKV",
                 "Subscriptions",
+                "Backup",
+                "AKV",
                 "Storage",
-                "Backup"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
@@ -30817,9 +31712,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
             "service": "Key Vault",
             "services": [
+                "Backup",
                 "WAF",
-                "AKV",
-                "Backup"
+                "AKV"
             ],
             "severity": "Low",
             "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
@@ -30832,9 +31727,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
             "service": "Key Vault",
             "services": [
+                "Backup",
                 "WAF",
-                "AKV",
-                "Backup"
+                "AKV"
             ],
             "severity": "Low",
             "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
@@ -30847,9 +31742,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
             "service": "Key Vault",
             "services": [
+                "EventHubs",
                 "WAF",
-                "AKV",
-                "EventHubs"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
@@ -30917,8 +31812,8 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure you are using Application Gateway v2 SKU",
@@ -30962,9 +31857,9 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
             "service": "App Gateway",
             "services": [
+                "AppGW",
                 "WAF",
-                "VNet",
-                "AppGW"
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
@@ -30979,12 +31874,12 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW",
                 "VNet",
-                "NVA",
                 "Subscriptions",
-                "Entra"
+                "NVA",
+                "AppGW",
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
@@ -30998,8 +31893,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "DDoS"
+                "DDoS",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
@@ -31029,9 +31924,9 @@
             "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
             "service": "App Gateway",
             "services": [
-                "WAF",
                 "ACR",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy Application Gateway across Availability Zones",
@@ -31045,8 +31940,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -31061,10 +31956,10 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "Front Door",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "FrontDoor",
-                "AppGW"
+                "WAF",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
@@ -31079,8 +31974,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "Traffic Manager",
             "services": [
-                "WAF",
-                "TrafficManager"
+                "TrafficManager",
+                "WAF"
             ],
             "severity": "High",
             "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
@@ -31093,9 +31988,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
             "service": "Entra",
             "services": [
+                "AVD",
                 "WAF",
-                "Entra",
-                "AVD"
+                "Entra"
             ],
             "severity": "Low",
             "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
@@ -31125,8 +32020,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -31141,8 +32036,8 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "TrafficManager",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -31233,10 +32128,10 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
             "service": "Front Door",
             "services": [
+                "FrontDoor",
                 "WAF",
                 "AKV",
-                "Cost",
-                "FrontDoor"
+                "Cost"
             ],
             "severity": "High",
             "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
@@ -31323,8 +32218,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -31439,8 +32334,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
@@ -31454,9 +32349,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
             "service": "App Gateway",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "AppGW"
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
@@ -31470,8 +32365,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "High",
             "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
@@ -31486,9 +32381,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
             "service": "App Gateway",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "AppGW"
+                "WAF"
             ],
             "severity": "High",
             "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
@@ -31501,8 +32396,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
@@ -31515,8 +32410,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
@@ -31542,8 +32437,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
@@ -31556,8 +32451,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
@@ -31570,8 +32465,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
@@ -31598,8 +32493,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
             "service": "App Gateway",
             "services": [
-                "WAF",
                 "AppGW",
+                "WAF",
                 "Sentinel"
             ],
             "severity": "Medium",
@@ -31614,8 +32509,8 @@
             "service": "Front Door",
             "services": [
                 "WAF",
-                "FrontDoor",
-                "Sentinel"
+                "Sentinel",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
@@ -31628,8 +32523,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
@@ -31642,8 +32537,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use WAF Policies instead of the legacy WAF configuration.",
@@ -31656,11 +32551,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW",
+                "VPN",
                 "VNet",
+                "AppGW",
                 "ExpressRoute",
-                "VPN"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
@@ -31832,8 +32727,8 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
             "service": "App Gateway",
             "services": [
-                "WAF",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
@@ -31894,8 +32789,8 @@
             "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
             "service": "Windows AD",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
@@ -31990,12 +32885,12 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
             "service": "Service Bus",
             "services": [
-                "WAF",
+                "TrafficManager",
                 "ServiceBus",
-                "RBAC",
                 "AzurePolicy",
                 "Entra",
-                "TrafficManager"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Avoid using root account when it is not necessary",
@@ -32010,13 +32905,13 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
             "service": "Service Bus",
             "services": [
-                "WAF",
                 "ServiceBus",
-                "AKV",
-                "Storage",
-                "VM",
+                "Entra",
                 "AppSvc",
-                "Entra"
+                "VM",
+                "Storage",
+                "AKV",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
@@ -32031,11 +32926,11 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
             "service": "Service Bus",
             "services": [
-                "WAF",
                 "ServiceBus",
                 "Subscriptions",
                 "Storage",
-                "RBAC"
+                "RBAC",
+                "WAF"
             ],
             "severity": "High",
             "text": "Use least privilege data plane RBAC",
@@ -32050,10 +32945,10 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
             "service": "Service Bus",
             "services": [
+                "Monitor",
                 "WAF",
-                "ServiceBus",
                 "VNet",
-                "Monitor"
+                "ServiceBus"
             ],
             "severity": "Medium",
             "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
@@ -32068,10 +32963,10 @@
             "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
             "service": "Service Bus",
             "services": [
+                "PrivateLink",
                 "WAF",
-                "ServiceBus",
                 "VNet",
-                "PrivateLink"
+                "ServiceBus"
             ],
             "severity": "Medium",
             "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
@@ -32168,8 +33063,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
             "service": "VMSS",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
@@ -32183,9 +33078,9 @@
             "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
             "service": "VM",
             "services": [
-                "WAF",
                 "Backup",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
             "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
@@ -32199,8 +33094,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
             "text": "Use Premium or Ultra disks for production VMs",
@@ -32214,8 +33109,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure Managed Disks are used for all VMs",
@@ -32229,10 +33124,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
             "service": "VM",
             "services": [
-                "WAF",
+                "SQL",
                 "VM",
-                "Storage",
-                "SQL"
+                "WAF",
+                "Storage"
             ],
             "severity": "Medium",
             "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
@@ -32246,9 +33141,9 @@
             "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
             "service": "VM",
             "services": [
-                "WAF",
                 "ACR",
                 "VM",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -32263,8 +33158,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
@@ -32278,9 +33173,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
             "service": "VM",
             "services": [
-                "WAF",
                 "ASR",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
             "text": "Avoid running a production workload on a single VM",
@@ -32294,10 +33189,10 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
             "service": "VM",
             "services": [
-                "WAF",
                 "ASR",
                 "VM",
-                "AVS"
+                "AVS",
+                "WAF"
             ],
             "severity": "High",
             "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
@@ -32325,9 +33220,9 @@
             "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
             "service": "VM",
             "services": [
-                "WAF",
                 "ASR",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Increase quotas in DR region before testing failover with ASR",
@@ -32341,8 +33236,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Utilize Scheduled Events to prepare for VM maintenance",
@@ -32416,8 +33311,8 @@
             "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
             "service": "Azure Backup",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
@@ -32431,8 +33326,8 @@
             "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
             "service": "Azure Backup",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
@@ -32446,8 +33341,8 @@
             "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
             "service": "Azure Backup",
             "services": [
-                "WAF",
                 "Backup",
+                "WAF",
                 "Storage"
             ],
             "severity": "Low",
@@ -32462,10 +33357,10 @@
             "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
             "service": "DNS",
             "services": [
-                "WAF",
-                "DNS",
                 "ASR",
-                "ACR"
+                "DNS",
+                "ACR",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Implement DNS Failover using Azure DNS Private Resolvers",
@@ -32479,8 +33374,8 @@
             "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
             "service": "Data Gateways",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
@@ -32494,8 +33389,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
             "service": "NVA",
             "services": [
-                "WAF",
-                "NVA"
+                "NVA",
+                "WAF"
             ],
             "severity": "High",
             "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
@@ -32548,8 +33443,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
             "service": "CosmosDB",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Leverage Multi-Region Writes",
@@ -32563,8 +33458,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
             "service": "CosmosDB",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Distribute your data globally",
@@ -32592,8 +33487,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
             "service": "CosmosDB",
             "services": [
-                "WAF",
-                "CosmosDB"
+                "CosmosDB",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Enable Service managed failover",
@@ -32607,9 +33502,9 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
             "service": "CosmosDB",
             "services": [
-                "WAF",
                 "Backup",
                 "CosmosDB",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -32625,8 +33520,8 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
             "service": "CosmosDB",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Perform Periodic Backups",
@@ -32641,9 +33536,9 @@
             "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
             "service": "CosmosDB",
             "services": [
-                "WAF",
                 "Backup",
-                "CosmosDB"
+                "CosmosDB",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
@@ -32670,8 +33565,8 @@
             "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
             "service": "Cognitive Services",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Backup Your Prompts",
@@ -32684,8 +33579,8 @@
             "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
             "service": "Cognitive Services",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "High",
             "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
@@ -32698,8 +33593,8 @@
             "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
             "service": "Cognitive Services",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Backup Your ChatGPT conversations",
@@ -32778,8 +33673,8 @@
             "link": "https://learn.microsoft.com/purview/disaster-recovery",
             "service": "Purview",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "High",
             "text": "Plan a backup strategy and take regular backups",
@@ -32792,8 +33687,8 @@
             "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
             "service": "Purview",
             "services": [
-                "WAF",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
@@ -32858,8 +33753,8 @@
             "link": "https://learn.microsoft.com/purview/disaster-recovery",
             "service": "Purview",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Follow Backup and Migration Best practices",
@@ -33055,8 +33950,8 @@
             "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
             "service": "Purview",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Follow Microsoft Purview Data Owner access policies",
@@ -33069,8 +33964,8 @@
             "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
             "service": "Purview",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Follow Self-service access policies",
@@ -33083,8 +33978,8 @@
             "link": "https://learn.microsoft.com/purview/concept-policies-devops",
             "service": "Purview",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Follow DevOps policies",
@@ -33176,8 +34071,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
             "service": "ACR",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "High",
             "text": "Disable Azure Container Registry image export",
@@ -33191,9 +34086,9 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
             "service": "ACR",
             "services": [
-                "WAF",
                 "ACR",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable Azure Policies for Azure Container Registry",
@@ -33207,8 +34102,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
             "service": "ACR",
             "services": [
-                "WAF",
                 "ACR",
+                "WAF",
                 "AKV"
             ],
             "severity": "High",
@@ -33223,8 +34118,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
             "service": "ACR",
             "services": [
-                "WAF",
                 "ACR",
+                "WAF",
                 "AKV"
             ],
             "severity": "Medium",
@@ -33239,10 +34134,10 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
             "service": "ACR",
             "services": [
-                "WAF",
-                "Entra",
                 "RBAC",
-                "ACR"
+                "ACR",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Use Managed Identities to connect instead of Service Principals",
@@ -33256,8 +34151,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
             "service": "ACR",
             "services": [
-                "WAF",
-                "RBAC"
+                "RBAC",
+                "WAF"
             ],
             "severity": "High",
             "text": "Disable local authentication for management plane access",
@@ -33271,9 +34166,9 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
             "service": "ACR",
             "services": [
-                "WAF",
-                "ACR",
                 "RBAC",
+                "ACR",
+                "WAF",
                 "Entra"
             ],
             "severity": "High",
@@ -33316,10 +34211,10 @@
             "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
             "service": "ACR",
             "services": [
-                "WAF",
+                "PrivateLink",
                 "ACR",
                 "EventHubs",
-                "PrivateLink"
+                "WAF"
             ],
             "severity": "High",
             "text": "Deploy images from a trusted environment",
@@ -33333,9 +34228,9 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
             "service": "ACR",
             "services": [
-                "WAF",
                 "ACR",
                 "AzurePolicy",
+                "WAF",
                 "Entra"
             ],
             "severity": "Medium",
@@ -33350,9 +34245,9 @@
             "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
             "service": "ACR",
             "services": [
-                "WAF",
                 "ACR",
                 "Monitor",
+                "WAF",
                 "Entra"
             ],
             "severity": "Medium",
@@ -33367,10 +34262,10 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
             "service": "ACR",
             "services": [
-                "WAF",
+                "PrivateLink",
                 "Firewall",
-                "VNet",
-                "PrivateLink"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Control inbound network access with Private Link",
@@ -33384,8 +34279,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
             "service": "ACR",
             "services": [
-                "WAF",
-                "PrivateLink"
+                "PrivateLink",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Disable Public Network access",
@@ -33399,9 +34294,9 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
             "service": "ACR",
             "services": [
-                "WAF",
+                "PrivateLink",
                 "ACR",
-                "PrivateLink"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
@@ -33415,9 +34310,9 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
             "service": "ACR",
             "services": [
-                "WAF",
+                "Defender",
                 "ACR",
-                "Defender"
+                "WAF"
             ],
             "severity": "Low",
             "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
@@ -33457,8 +34352,8 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
             "service": "Event Hubs",
             "services": [
-                "WAF",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Use customer-managed key option in data at rest encryption when required",
@@ -33473,8 +34368,8 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
             "service": "Event Hubs",
             "services": [
-                "WAF",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
@@ -33489,12 +34384,12 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
             "service": "Event Hubs",
             "services": [
-                "WAF",
+                "TrafficManager",
                 "EventHubs",
                 "AzurePolicy",
-                "RBAC",
                 "Entra",
-                "TrafficManager"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Avoid using root account when it is not necessary",
@@ -33509,12 +34404,12 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
             "service": "Event Hubs",
             "services": [
-                "WAF",
                 "EventHubs",
+                "VM",
                 "AKV",
+                "Entra",
                 "Storage",
-                "VM",
-                "Entra"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
@@ -33529,9 +34424,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
             "service": "Event Hubs",
             "services": [
-                "WAF",
                 "RBAC",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "High",
             "text": "Use least privilege data plane RBAC",
@@ -33546,10 +34441,10 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
             "service": "Event Hubs",
             "services": [
-                "WAF",
-                "VNet",
                 "EventHubs",
-                "Monitor"
+                "Monitor",
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
@@ -33564,10 +34459,10 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
             "service": "Event Hubs",
             "services": [
-                "WAF",
-                "VNet",
+                "PrivateLink",
                 "EventHubs",
-                "PrivateLink"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
@@ -33582,8 +34477,8 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
             "service": "Event Hubs",
             "services": [
-                "WAF",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
@@ -33611,9 +34506,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
             "service": "Event Hubs",
             "services": [
-                "WAF",
                 "ACR",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "High",
             "text": "Leverage Availability Zones if regionally applicable",
@@ -33640,9 +34535,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
             "service": "Event Hubs",
             "services": [
-                "WAF",
                 "ASR",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "High",
             "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
@@ -33656,9 +34551,9 @@
             "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
             "service": "Event Hubs",
             "services": [
-                "WAF",
+                "ASR",
                 "EventHubs",
-                "ASR"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For Business Critical Applications, use Active Active configuration",
@@ -33671,8 +34566,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
             "service": "Event Hubs",
             "services": [
-                "WAF",
-                "EventHubs"
+                "EventHubs",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Design Resilient Event Hubs",
@@ -33685,8 +34580,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
             "service": "Azure Monitor",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
@@ -33700,8 +34595,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
             "service": "Azure Backup",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "check backup instances with the underlying datasource not found",
@@ -33727,9 +34622,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
             "service": "Azure Backup",
             "services": [
-                "WAF",
-                "Backup",
                 "ASR",
+                "Backup",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -33743,8 +34638,8 @@
             "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
             "service": "Azure Monitor",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing -  If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
@@ -33758,8 +34653,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "Azure Monitor",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -33774,8 +34669,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "VM",
             "services": [
-                "WAF",
                 "Backup",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -33790,8 +34685,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
             "service": "Storage",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -33806,8 +34701,8 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/overview",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Make sure advisor is configured for VM right sizing ",
@@ -33821,9 +34716,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
             "service": "VM",
             "services": [
-                "WAF",
-                "AzurePolicy",
                 "VM",
+                "AzurePolicy",
+                "WAF",
                 "Cost"
             ],
             "severity": "Medium",
@@ -33851,8 +34746,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
@@ -33866,10 +34761,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
             "service": "VM",
             "services": [
-                "WAF",
                 "ARS",
-                "Cost",
-                "VM"
+                "VM",
+                "WAF",
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
@@ -33908,10 +34803,10 @@
             "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
             "service": "Azure SQL",
             "services": [
-                "WAF",
+                "SQL",
                 "AzurePolicy",
-                "Cost",
-                "SQL"
+                "WAF",
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
@@ -33924,8 +34819,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
@@ -33938,8 +34833,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Consider using a VMSS to match demand rather than flat sizing",
@@ -33980,9 +34875,9 @@
             "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
             "service": "Databricks",
             "services": [
+                "VM",
                 "WAF",
-                "LoadBalancer",
-                "VM"
+                "LoadBalancer"
             ],
             "severity": "Medium",
             "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
@@ -34091,8 +34986,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "EventHubs",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -34106,8 +35001,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
             "service": "Front Door",
             "services": [
-                "WAF",
                 "AppSvc",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -34174,8 +35069,8 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
             "service": "Site Recovery",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
@@ -34215,9 +35110,9 @@
             "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
             "service": "Synapse",
             "services": [
-                "WAF",
-                "Monitor",
                 "EventHubs",
+                "Monitor",
+                "WAF",
                 "Cost"
             ],
             "severity": "Medium",
@@ -34232,8 +35127,8 @@
             "service": "Synapse",
             "services": [
                 "WAF",
-                "Cost",
-                "Storage"
+                "Storage",
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Export cost data to a storage account for additional data analysis.",
@@ -34246,9 +35141,9 @@
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
             "service": "Synapse",
             "services": [
+                "SQL",
                 "WAF",
-                "Cost",
-                "SQL"
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
@@ -34302,9 +35197,9 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
             "service": "VM",
             "services": [
+                "VM",
                 "WAF",
-                "Cost",
-                "VM"
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
@@ -34318,8 +35213,8 @@
             "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Right-sizing all VMs",
@@ -34332,8 +35227,8 @@
             "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Swap VM sized with normalized and most recent sizes",
@@ -34347,9 +35242,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "VM",
             "services": [
+                "Monitor",
                 "WAF",
-                "VM",
-                "Monitor"
+                "VM"
             ],
             "severity": "Medium",
             "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
@@ -34363,8 +35258,8 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "VM",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Containerizing an application can improve VM density and save money on scaling it",
@@ -34378,8 +35273,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
             "service": "APIM",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement an error handling policy at the global level",
@@ -34392,8 +35287,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
             "service": "APIM",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Ensure all APIs policies include a <base/> element.",
@@ -34406,9 +35301,9 @@
             "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
             "service": "APIM",
             "services": [
-                "WAF",
                 "ACR",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
@@ -34434,8 +35329,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
             "service": "APIM",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
@@ -34461,8 +35356,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
             "service": "APIM",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "High",
             "text": "Configure alerts on the most critical metrics",
@@ -34543,8 +35438,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
             "service": "APIM",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Named Values to store common values that can be used in policies",
@@ -34557,8 +35452,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
             "service": "APIM",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
@@ -34584,8 +35479,8 @@
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
             "service": "APIM",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure there is an automated backup routine",
@@ -34598,8 +35493,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
             "service": "APIM",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
@@ -34612,9 +35507,9 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
             "service": "APIM",
             "services": [
-                "WAF",
                 "EventHubs",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Low",
             "text": "If you need to log at high performance levels, consider Event Hubs policy",
@@ -34627,8 +35522,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
             "service": "APIM",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Apply throttling policies to control the number of requests per second",
@@ -34681,8 +35576,8 @@
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
             "service": "APIM",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
@@ -34695,9 +35590,9 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
             "service": "APIM",
             "services": [
+                "APIM",
                 "WAF",
-                "Entra",
-                "APIM"
+                "Entra"
             ],
             "severity": "High",
             "text": "Be aware of APIM's limits",
@@ -34723,10 +35618,10 @@
             "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
             "service": "APIM",
             "services": [
-                "WAF",
-                "Entra",
                 "APIM",
-                "FrontDoor"
+                "FrontDoor",
+                "WAF",
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Use Azure Front Door in front of APIM for multi-region deployment",
@@ -34753,11 +35648,11 @@
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
             "service": "APIM",
             "services": [
-                "WAF",
-                "Monitor",
                 "VNet",
                 "APIM",
-                "Entra"
+                "Monitor",
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
@@ -34770,11 +35665,11 @@
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
             "service": "APIM",
             "services": [
-                "WAF",
-                "PrivateLink",
                 "VNet",
+                "PrivateLink",
                 "APIM",
-                "Entra"
+                "Entra",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
@@ -34813,9 +35708,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
             "service": "APIM",
             "services": [
+                "APIM",
                 "WAF",
-                "Entra",
-                "APIM"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
@@ -34828,9 +35723,9 @@
             "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
             "service": "APIM",
             "services": [
+                "APIM",
                 "WAF",
-                "Entra",
-                "APIM"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
@@ -34949,10 +35844,10 @@
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
             "service": "APIM",
             "services": [
-                "WAF",
-                "Entra",
                 "APIM",
-                "AppGW"
+                "AppGW",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
@@ -34981,8 +35876,8 @@
             "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
             "service": "Azure Storage",
             "services": [
-                "WAF",
                 "PrivateLink",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -34997,9 +35892,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
             "service": "Azure Storage",
             "services": [
-                "WAF",
                 "RBAC",
                 "Subscriptions",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -35014,8 +35909,8 @@
             "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
             "service": "Azure Storage",
             "services": [
-                "WAF",
                 "Defender",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -35104,9 +35999,9 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
             "service": "Azure Storage",
             "services": [
-                "WAF",
-                "AzurePolicy",
                 "Subscriptions",
+                "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -35167,8 +36062,8 @@
             "service": "Azure Storage",
             "services": [
                 "WAF",
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
@@ -35181,8 +36076,8 @@
             "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
             "service": "Azure Storage",
             "services": [
-                "WAF",
-                "RBAC"
+                "RBAC",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Least privilege in IaM permissions",
@@ -35197,8 +36092,8 @@
             "service": "Azure Storage",
             "services": [
                 "WAF",
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
@@ -35212,11 +36107,11 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
             "service": "Azure Storage",
             "services": [
-                "WAF",
                 "Monitor",
                 "AKV",
+                "Entra",
                 "Storage",
-                "Entra"
+                "WAF"
             ],
             "severity": "High",
             "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
@@ -35230,11 +36125,11 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
             "service": "Azure Storage",
             "services": [
-                "WAF",
+                "AzurePolicy",
                 "Monitor",
-                "AKV",
                 "Storage",
-                "AzurePolicy"
+                "AKV",
+                "WAF"
             ],
             "severity": "High",
             "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
@@ -35248,9 +36143,9 @@
             "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
             "service": "Azure Storage",
             "services": [
+                "AzurePolicy",
                 "WAF",
                 "AKV",
-                "AzurePolicy",
                 "Storage"
             ],
             "severity": "Medium",
@@ -35265,8 +36160,8 @@
             "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
             "service": "Azure Storage",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Consider configuring an SAS expiration policy",
@@ -35280,9 +36175,9 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
             "service": "Azure Storage",
             "services": [
+                "AzurePolicy",
                 "WAF",
                 "AKV",
-                "AzurePolicy",
                 "Storage"
             ],
             "severity": "Medium",
@@ -35313,8 +36208,8 @@
             "service": "Azure Storage",
             "services": [
                 "WAF",
-                "Entra",
-                "Storage"
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
@@ -35328,8 +36223,8 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
             "service": "Azure Storage",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -35386,10 +36281,10 @@
             "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
             "service": "Azure Storage",
             "services": [
-                "WAF",
-                "Entra",
                 "RBAC",
-                "Storage"
+                "WAF",
+                "Storage",
+                "Entra"
             ],
             "severity": "High",
             "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
@@ -35416,8 +36311,8 @@
             "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
             "service": "Azure Storage",
             "services": [
-                "WAF",
                 "AzurePolicy",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -35623,8 +36518,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
             "service": "ACR",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "High",
             "text": "If using a private registry, configure region replication to store images in multiple regions",
@@ -35692,9 +36587,9 @@
             "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
             "service": "AKS",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKS",
-                "AzurePolicy"
+                "AKS"
             ],
             "severity": "Medium",
             "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
@@ -35734,8 +36629,8 @@
             "link": "https://learn.microsoft.com/azure/container-registry/",
             "service": "AKS",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use a private registry for your images, such as ACR",
@@ -35828,8 +36723,8 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Defender"
+                "Defender",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Consider using Defender for Containers",
@@ -35885,9 +36780,9 @@
             "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
             "service": "AKS",
             "services": [
+                "RBAC",
                 "WAF",
-                "Entra",
-                "RBAC"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Integrate authorization with AAD RBAC",
@@ -35900,9 +36795,9 @@
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
             "service": "AKS",
             "services": [
+                "RBAC",
                 "WAF",
-                "AKS",
-                "RBAC"
+                "AKS"
             ],
             "severity": "High",
             "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
@@ -36014,9 +36909,9 @@
             "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
             "service": "AKS",
             "services": [
-                "WAF",
                 "ACR",
-                "AppGW"
+                "AppGW",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "If using AGIC, do not share an AppGW across clusters",
@@ -36086,9 +36981,9 @@
             "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
             "service": "AKS",
             "services": [
+                "PrivateLink",
                 "WAF",
-                "VNet",
-                "PrivateLink"
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
@@ -36143,8 +37038,8 @@
             "link": "https://learn.microsoft.com/azure/aks/internal-lb",
             "service": "AKS",
             "services": [
-                "WAF",
                 "AKS",
+                "WAF",
                 "VNet"
             ],
             "severity": "Low",
@@ -36238,8 +37133,8 @@
             "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
             "service": "AKS",
             "services": [
-                "WAF",
-                "NVA"
+                "NVA",
+                "WAF"
             ],
             "severity": "High",
             "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
@@ -36281,9 +37176,9 @@
             "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
             "service": "AKS",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKS",
-                "AzurePolicy"
+                "AKS"
             ],
             "severity": "Medium",
             "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
@@ -36297,9 +37192,9 @@
             "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
             "service": "AKS",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKS",
-                "AzurePolicy"
+                "AKS"
             ],
             "severity": "High",
             "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
@@ -36312,9 +37207,9 @@
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
             "service": "AKS",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKS",
-                "AzurePolicy"
+                "AKS"
             ],
             "severity": "High",
             "text": "Use Kubernetes network policies to increase intra-cluster security",
@@ -36341,10 +37236,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
             "service": "AKS",
             "services": [
-                "WAF",
+                "DDoS",
                 "AKS",
-                "VNet",
-                "DDoS"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Use DDoS Standard in the AKS Virtual Network",
@@ -36384,8 +37279,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "High",
             "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
@@ -36574,8 +37469,8 @@
             "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
@@ -36629,8 +37524,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "High",
             "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
@@ -36657,8 +37552,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Monitor CPU and memory utilization of the nodes",
@@ -36671,8 +37566,8 @@
             "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
@@ -36686,11 +37581,11 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
             "service": "AKS",
             "services": [
-                "WAF",
                 "ServiceBus",
                 "EventHubs",
                 "Monitor",
-                "Storage"
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Monitor OS disk queue depth in nodes",
@@ -36703,10 +37598,10 @@
             "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
             "service": "AKS",
             "services": [
-                "WAF",
-                "LoadBalancer",
                 "NVA",
-                "Monitor"
+                "Monitor",
+                "WAF",
+                "LoadBalancer"
             ],
             "severity": "Medium",
             "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
@@ -36759,8 +37654,8 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
             "service": "AKS",
             "services": [
-                "WAF",
-                "Subscriptions"
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure your subscription has enough quota to scale out your nodepools",
@@ -36941,9 +37836,9 @@
             "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
             "service": "AKS",
             "services": [
+                "SQL",
                 "WAF",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
@@ -36997,8 +37892,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
             "service": "Spring Apps",
             "services": [
-                "WAF",
                 "TrafficManager",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -37012,8 +37907,8 @@
             "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
             "service": "Spring Apps",
             "services": [
-                "WAF",
-                "ACR"
+                "ACR",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
@@ -37039,8 +37934,8 @@
             "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
             "service": "Spring Apps",
             "services": [
-                "WAF",
-                "Monitor"
+                "Monitor",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
@@ -37291,8 +38186,8 @@
             "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
             "service": "Container Apps",
             "services": [
-                "WAF",
                 "TrafficManager",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "High",
@@ -37305,8 +38200,8 @@
             "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
@@ -37319,8 +38214,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
@@ -37333,8 +38228,8 @@
             "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
@@ -37345,8 +38240,8 @@
             "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
@@ -37358,12 +38253,12 @@
             "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Storage",
                 "SQL",
-                "SAP",
                 "Backup",
-                "ASR"
+                "Storage",
+                "ASR",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
@@ -37376,8 +38271,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
@@ -37390,10 +38285,10 @@
             "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
             "service": "SAP",
             "services": [
-                "WAF",
-                "ExpressRoute",
                 "ASR",
-                "VPN"
+                "ExpressRoute",
+                "VPN",
+                "WAF"
             ],
             "severity": "High",
             "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
@@ -37406,8 +38301,8 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ACR",
+                "WAF",
                 "AKV"
             ],
             "severity": "Low",
@@ -37420,10 +38315,10 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
             "service": "SAP",
             "services": [
-                "WAF",
-                "VNet",
                 "ASR",
-                "SAP"
+                "SAP",
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
@@ -37435,9 +38330,9 @@
             "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Storage",
-                "SAP"
+                "Storage"
             ],
             "severity": "Low",
             "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
@@ -37476,10 +38371,10 @@
             "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Entra",
                 "ASR",
-                "VM"
+                "VM",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
@@ -37492,8 +38387,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
@@ -37506,8 +38401,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
@@ -37520,8 +38415,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
             "service": "SAP",
             "services": [
-                "WAF",
                 "VM",
+                "WAF",
                 "Storage"
             ],
             "severity": "High",
@@ -37535,9 +38430,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Storage",
-                "SAP"
+                "Storage"
             ],
             "severity": "High",
             "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
@@ -37550,8 +38445,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
@@ -37564,9 +38459,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "LoadBalancer",
-                "SAP"
+                "LoadBalancer"
             ],
             "severity": "High",
             "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster.  Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
@@ -37606,10 +38501,10 @@
             "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Entra",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
@@ -37621,10 +38516,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Entra",
                 "RBAC",
-                "VM"
+                "VM",
+                "WAF",
+                "Entra"
             ],
             "severity": "High",
             "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
@@ -37650,8 +38545,8 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
             "service": "SAP",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "High",
             "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
@@ -37664,9 +38559,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "High",
             "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
@@ -37678,9 +38573,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "ACR",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
@@ -37692,9 +38587,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "High",
             "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
@@ -37707,9 +38602,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
             "service": "SAP",
             "services": [
+                "VM",
                 "WAF",
-                "Entra",
-                "VM"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
@@ -37722,8 +38617,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
             "service": "SAP",
             "services": [
-                "WAF",
                 "VM",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -37736,8 +38631,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
@@ -37764,9 +38659,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Storage",
-                "SAP"
+                "Storage"
             ],
             "severity": "High",
             "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
@@ -37779,10 +38674,10 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ASR",
-                "Storage",
-                "SAP"
+                "SAP",
+                "WAF",
+                "Storage"
             ],
             "severity": "High",
             "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
@@ -37795,9 +38690,9 @@
             "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Storage",
-                "SAP"
+                "Storage"
             ],
             "severity": "High",
             "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
@@ -37809,9 +38704,9 @@
             "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Cost",
-                "SAP"
+                "Cost"
             ],
             "severity": "Medium",
             "text": "Automate SAP System Start-Stop to manage costs.",
@@ -37823,11 +38718,11 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Cost",
+                "VM",
                 "Storage",
                 "SAP",
-                "VM"
+                "WAF",
+                "Cost"
             ],
             "severity": "Low",
             "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
@@ -37839,11 +38734,11 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Cost",
+                "VM",
                 "Storage",
                 "SAP",
-                "VM"
+                "WAF",
+                "Cost"
             ],
             "severity": "Low",
             "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
@@ -37855,9 +38750,9 @@
             "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
             "service": "SAP",
             "services": [
-                "WAF",
                 "RBAC",
-                "Subscriptions"
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "High",
             "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
@@ -37870,9 +38765,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
@@ -37885,9 +38780,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
@@ -37899,8 +38794,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
@@ -37912,8 +38807,8 @@
             "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
@@ -37926,8 +38821,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
@@ -37939,9 +38834,9 @@
             "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "AKV",
-                "SAP"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
@@ -37954,9 +38849,9 @@
             "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "AKV",
-                "SAP"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
@@ -37968,8 +38863,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
@@ -37981,8 +38876,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement SSO to SAP HANA",
@@ -37994,9 +38889,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
@@ -38008,8 +38903,8 @@
             "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
@@ -38021,9 +38916,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
@@ -38035,8 +38930,8 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Implement SSO to SAP BTP",
@@ -38048,9 +38943,9 @@
             "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
@@ -38062,10 +38957,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
             "service": "SAP",
             "services": [
-                "WAF",
-                "AzurePolicy",
+                "SAP",
                 "Subscriptions",
-                "SAP"
+                "WAF",
+                "AzurePolicy"
             ],
             "severity": "Medium",
             "text": "enforce existing Management Group policies to SAP Subscriptions",
@@ -38078,9 +38973,9 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "Subscriptions",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
@@ -38093,8 +38988,8 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Subscriptions"
+                "Subscriptions",
+                "WAF"
             ],
             "severity": "High",
             "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
@@ -38107,9 +39002,9 @@
             "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "Subscriptions",
                 "VM",
-                "Subscriptions"
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
@@ -38134,9 +39029,9 @@
             "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
             "service": "SAP",
             "services": [
-                "WAF",
+                "Subscriptions",
                 "VM",
-                "Subscriptions"
+                "WAF"
             ],
             "severity": "High",
             "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
@@ -38161,8 +39056,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
             "service": "SAP",
             "services": [
-                "WAF",
                 "TrafficManager",
+                "WAF",
                 "Cost"
             ],
             "severity": "Medium",
@@ -38176,8 +39071,8 @@
             "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Backup"
+                "Backup",
+                "WAF"
             ],
             "severity": "High",
             "text": "Help protect your HANA database by using the Azure Backup service.",
@@ -38190,10 +39085,10 @@
             "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Entra",
                 "VM",
-                "Storage"
+                "WAF",
+                "Storage",
+                "Entra"
             ],
             "severity": "Medium",
             "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
@@ -38205,8 +39100,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "Ensure time-zone matches between the operating system and the SAP system.",
@@ -38245,9 +39140,9 @@
             "link": "https://learn.microsoft.com/azure/lighthouse/overview",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Entra",
-                "SAP"
+                "Entra"
             ],
             "severity": "Medium",
             "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
@@ -38259,8 +39154,8 @@
             "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
             "service": "SAP",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
@@ -38273,8 +39168,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
@@ -38287,10 +39182,10 @@
             "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
             "service": "SAP",
             "services": [
-                "WAF",
                 "SQL",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
@@ -38303,11 +39198,11 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
             "service": "SAP",
             "services": [
-                "WAF",
                 "Monitor",
-                "SAP",
                 "VM",
-                "Entra"
+                "Entra",
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
@@ -38320,8 +39215,8 @@
             "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
             "service": "SAP",
             "services": [
-                "WAF",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
@@ -38334,10 +39229,10 @@
             "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "NetworkWatcher",
-                "Monitor",
-                "SAP"
+                "WAF",
+                "Monitor"
             ],
             "severity": "Medium",
             "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
@@ -38350,9 +39245,9 @@
             "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
@@ -38364,9 +39259,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "Subscriptions",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
@@ -38379,8 +39274,8 @@
             "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ASR",
+                "WAF",
                 "Storage"
             ],
             "severity": "Medium",
@@ -38394,10 +39289,10 @@
             "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Sentinel",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF",
+                "Sentinel"
             ],
             "severity": "Medium",
             "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
@@ -38424,9 +39319,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
             "service": "SAP",
             "services": [
+                "Monitor",
                 "WAF",
-                "VM",
-                "Monitor"
+                "VM"
             ],
             "severity": "Low",
             "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
@@ -38438,10 +39333,10 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ASR",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
@@ -38454,9 +39349,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Storage",
-                "SAP"
+                "Storage"
             ],
             "severity": "Medium",
             "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle/<sid>/sapdata from antivirus scans.",
@@ -38468,8 +39363,8 @@
             "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
             "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
@@ -38481,9 +39376,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "Storage",
-                "SAP"
+                "Storage"
             ],
             "severity": "Medium",
             "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
@@ -38496,9 +39391,9 @@
             "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
             "service": "SAP",
             "services": [
-                "WAF",
                 "SQL",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems.  Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
@@ -38511,10 +39406,10 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ASR",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
@@ -38527,9 +39422,9 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "AppGW"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
@@ -38542,10 +39437,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
             "service": "SAP",
             "services": [
-                "WAF",
                 "DNS",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
@@ -38558,10 +39453,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
             "service": "SAP",
             "services": [
-                "WAF",
                 "DNS",
-                "VNet",
-                "SAP"
+                "SAP",
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
@@ -38574,10 +39469,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "ACR",
-                "VNet",
-                "SAP"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
@@ -38590,9 +39485,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "NVA",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
@@ -38605,10 +39500,10 @@
             "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "ACR",
-                "VWAN",
-                "SAP"
+                "WAF",
+                "VWAN"
             ],
             "severity": "Medium",
             "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
@@ -38621,9 +39516,9 @@
             "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
             "service": "SAP",
             "services": [
+                "NVA",
                 "WAF",
-                "VNet",
-                "NVA"
+                "VNet"
             ],
             "severity": "Medium",
             "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
@@ -38636,10 +39531,10 @@
             "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
             "service": "SAP",
             "services": [
-                "WAF",
                 "VNet",
                 "NVA",
                 "SAP",
+                "WAF",
                 "VWAN"
             ],
             "severity": "Medium",
@@ -38653,9 +39548,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Public IP assignment to VM running SAP Workload is not recommended.",
@@ -38668,8 +39563,8 @@
             "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
             "service": "SAP",
             "services": [
-                "WAF",
-                "ASR"
+                "ASR",
+                "WAF"
             ],
             "severity": "High",
             "text": "Consider reserving IP address on DR side when configuring ASR",
@@ -38710,8 +39605,8 @@
             "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Firewall"
+                "Firewall",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
@@ -38724,9 +39619,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "AppGW",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
@@ -38739,9 +39634,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ACR",
                 "AzurePolicy",
+                "WAF",
                 "FrontDoor"
             ],
             "severity": "Medium",
@@ -38755,10 +39650,10 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "AppGW",
                 "AzurePolicy",
-                "FrontDoor",
-                "AppGW"
+                "WAF",
+                "FrontDoor"
             ],
             "severity": "Medium",
             "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
@@ -38771,9 +39666,9 @@
             "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
             "service": "SAP",
             "services": [
+                "AppGW",
                 "WAF",
-                "LoadBalancer",
-                "AppGW"
+                "LoadBalancer"
             ],
             "severity": "Medium",
             "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
@@ -38786,10 +39681,10 @@
             "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "ACR",
-                "VWAN",
-                "SAP"
+                "WAF",
+                "VWAN"
             ],
             "severity": "Medium",
             "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
@@ -38802,12 +39697,12 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
             "service": "SAP",
             "services": [
-                "WAF",
-                "PrivateLink",
                 "VNet",
-                "Storage",
+                "PrivateLink",
                 "Backup",
-                "ACR"
+                "ACR",
+                "Storage",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
@@ -38820,9 +39715,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
@@ -38849,10 +39744,10 @@
             "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
             "service": "SAP",
             "services": [
-                "WAF",
-                "VNet",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF",
+                "VNet"
             ],
             "severity": "Medium",
             "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
@@ -38865,9 +39760,9 @@
             "link": "https://me.sap.com/notes/2015553",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "VNet",
-                "SAP"
+                "VNet"
             ],
             "severity": "High",
             "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
@@ -38880,8 +39775,8 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
@@ -38894,8 +39789,8 @@
             "link": "https://me.sap.com/notes/2015553",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "High",
             "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
@@ -38908,10 +39803,10 @@
             "link": "https://me.sap.com/notes/2015553",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
                 "VNet",
-                "Cost",
-                "SAP"
+                "Cost"
             ],
             "severity": "High",
             "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
@@ -38938,9 +39833,9 @@
             "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "VNet",
-                "SAP"
+                "VNet"
             ],
             "severity": "Medium",
             "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
@@ -38952,10 +39847,10 @@
             "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Backup",
+                "SAP",
                 "VM",
-                "SAP"
+                "Backup",
+                "WAF"
             ],
             "severity": "High",
             "text": "Review SAP HANA database backups for Azure VMs.",
@@ -38967,10 +39862,10 @@
             "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
             "service": "SAP",
             "services": [
-                "WAF",
                 "ASR",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Review Site Recovery built-in monitoring, where used for SAP.",
@@ -38982,9 +39877,9 @@
             "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
@@ -38996,9 +39891,9 @@
             "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
             "service": "SAP",
             "services": [
-                "WAF",
                 "Backup",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Review Oracle Database in Azure Linux VM backup strategies.",
@@ -39010,9 +39905,9 @@
             "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
             "service": "SAP",
             "services": [
+                "SQL",
                 "WAF",
-                "Storage",
-                "SQL"
+                "Storage"
             ],
             "severity": "Medium",
             "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
@@ -39024,9 +39919,9 @@
             "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
             "service": "SAP",
             "services": [
-                "WAF",
                 "Backup",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Review the use of Automated Backup v2 for Azure VMs.",
@@ -39061,8 +39956,8 @@
             "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Activate SAP EarlyWatch Alert for all SAP components.",
@@ -39075,8 +39970,8 @@
             "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
@@ -39088,9 +39983,9 @@
             "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SQL",
                 "Monitor",
-                "SQL"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Review SQL Server performance monitoring using CCMS.",
@@ -39102,9 +39997,9 @@
             "link": "https://me.sap.com/notes/500235",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "VM",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
@@ -39117,9 +40012,9 @@
             "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Review SAP HANA studio alerts.",
@@ -39131,8 +40026,8 @@
             "link": "https://me.sap.com/notes/1969700",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
@@ -39144,8 +40039,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
             "service": "SAP",
             "services": [
-                "WAF",
-                "VM"
+                "VM",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
@@ -39158,8 +40053,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Medium",
             "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
@@ -39172,9 +40067,9 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
             "service": "SAP",
             "services": [
-                "WAF",
                 "SQL",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
             "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
@@ -39186,8 +40081,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SQL"
+                "SQL",
+                "WAF"
             ],
             "severity": "High",
             "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
@@ -39200,11 +40095,11 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Storage",
                 "SQL",
+                "Backup",
+                "Storage",
                 "SAP",
-                "Backup"
+                "WAF"
             ],
             "severity": "High",
             "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
@@ -39245,10 +40140,10 @@
             "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
             "service": "SAP",
             "services": [
-                "WAF",
                 "RBAC",
+                "Subscriptions",
                 "AzurePolicy",
-                "Subscriptions"
+                "WAF"
             ],
             "severity": "Medium",
             "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
@@ -39261,9 +40156,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
             "service": "SAP",
             "services": [
+                "AzurePolicy",
                 "WAF",
-                "AKV",
-                "AzurePolicy"
+                "AKV"
             ],
             "severity": "Medium",
             "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
@@ -39276,9 +40171,9 @@
             "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
             "service": "SAP",
             "services": [
-                "WAF",
                 "RBAC",
-                "AzurePolicy"
+                "AzurePolicy",
+                "WAF"
             ],
             "severity": "High",
             "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
@@ -39291,10 +40186,10 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
             "service": "SAP",
             "services": [
-                "WAF",
+                "SAP",
                 "Defender",
-                "Storage",
-                "SAP"
+                "WAF",
+                "Storage"
             ],
             "severity": "High",
             "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
@@ -39307,10 +40202,10 @@
             "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
             "service": "SAP",
             "services": [
-                "WAF",
                 "RBAC",
+                "SAP",
                 "Defender",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
@@ -39323,8 +40218,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
             "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
@@ -39365,9 +40260,9 @@
             "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "AKV",
-                "SAP"
+                "AKV"
             ],
             "severity": "High",
             "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
@@ -39380,10 +40275,10 @@
             "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
             "service": "SAP",
             "services": [
-                "WAF",
                 "RBAC",
+                "SAP",
                 "Subscriptions",
-                "SAP"
+                "WAF"
             ],
             "severity": "High",
             "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
@@ -39396,10 +40291,10 @@
             "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
             "service": "SAP",
             "services": [
-                "WAF",
-                "NVA",
                 "PrivateLink",
-                "SAP"
+                "SAP",
+                "NVA",
+                "WAF"
             ],
             "severity": "High",
             "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
@@ -39412,8 +40307,8 @@
             "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
             "service": "SAP",
             "services": [
-                "WAF",
                 "VM",
+                "WAF",
                 "Storage"
             ],
             "severity": "Low",
@@ -39427,8 +40322,8 @@
             "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
             "service": "SAP",
             "services": [
-                "WAF",
-                "Defender"
+                "Defender",
+                "WAF"
             ],
             "severity": "Low",
             "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
@@ -39441,9 +40336,9 @@
             "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
             "service": "SAP",
             "services": [
+                "SAP",
                 "WAF",
-                "VNet",
-                "SAP"
+                "VNet"
             ],
             "severity": "High",
             "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
@@ -39456,8 +40351,8 @@
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
             "service": "SAP",
             "services": [
-                "WAF",
-                "SAP"
+                "SAP",
+                "WAF"
             ],
             "severity": "Low",
             "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
@@ -39470,10 +40365,10 @@
             "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
             "service": "SAP",
             "services": [
-                "WAF",
-                "AKV",
+                "SAP",
                 "Monitor",
-                "SAP"
+                "WAF",
+                "AKV"
             ],
             "severity": "Medium",
             "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
@@ -39483,7 +40378,7 @@
     ],
     "metadata": {
         "name": "Master checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json
index 98a9ef059..710850261 100644
--- a/checklists/waf_checklist.en.json
+++ b/checklists/waf_checklist.en.json
@@ -4831,6 +4831,756 @@
             "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
             "waf": "Reliability"
         },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Follow Metaprompting guardrails for resonsible AI",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Consider Gateway patterns with APIM  or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Enable monitoring for your AOAI instances",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Monitor token usage to prevent service disruptions due to capacity",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "Low",
+            "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+            "waf": "Operational Execellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Evaluate usage of Provisioned throughput model ",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Review and implement Azure AI content safety",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Improve latency of the system by limiting token sizes, streaming options",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+            "waf": "Performance"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Low",
+            "text": "Deploy multiple OAI instances across regions",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Azure AI search service tiers should be choosen to have a SLA ",
+            "waf": "Reliability"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "Low",
+            "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Implement data encryption,  masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Configure private endpoint for AI services to restrict service access within your network",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Use prompt compression tools like LLMLingua or gprtrim",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities,  API keys or OAuth, to prevent unauthorized access.",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "Low",
+            "text": "Azure AI Services are properly tagged for better management",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "Low",
+            "text": "Azure AI Service accounts follows organizational naming conventions",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Diagnostic logs in Azure AI services resources should be enabled",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Key access (local authentication) is recommended to be disabled for security.  After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Review the guidance provided on setting up AI search for Reliability",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Plan and manage AI Search Vector storage",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Evaluate usage of billing models - PAYG vs PTU",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Evaluate the quality of  prompts and applications when switching between model versions",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Evaluate your Azure AI Search results based on different search parameters",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Red team your GenAI applications",
+            "waf": "Security"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+            "waf": "Operational Excellence"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "High",
+            "text": "Consider Quota management practices",
+            "waf": "Cost Optimization"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "Medium",
+            "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+            "waf": "Operational Excellence"
+        },
         {
             "arm-service": "Microsoft.CognitiveServices/accounts",
             "checklist": "Cognitive Services Review Checklist",
@@ -9651,7 +10401,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.es.json b/checklists/waf_checklist.es.json
index 484573554..73763c25f 100644
--- a/checklists/waf_checklist.es.json
+++ b/checklists/waf_checklist.es.json
@@ -4719,6 +4719,756 @@
             "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones",
             "waf": "Fiabilidad"
         },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Siga las barreras de seguridad de Metaprompting para una IA responsable",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Considere la posibilidad de crear patrones de puerta de enlace con APIM o soluciones como AI Central para mejorar la limitación de velocidad, el equilibrio de carga, la autenticación y el registro",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Habilitación de la supervisión para las instancias de AOAI",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Cree alertas para notificar a los equipos de eventos, como una entrada en el registro de actividad creada por una acción realizada en el recurso, como la regeneración de sus claves de suscripción, o un umbral de métrica, como el número de errores que superan los 10 en una hora",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Supervise el uso de tokens para evitar interrupciones del servicio debido a la capacidad",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Observe métricas como tokens de inferencia procesados, tokens de finalización generados, monitoree el límite de velocidad",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "text": "Si los diagnósticos no son suficientes para usted, considere la posibilidad de usar una puerta de enlace como Azure API Managements frente a Azure OpenAI para registrar tanto los mensajes entrantes como las respuestas salientes, cuando esté permitido",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Use la infraestructura como código para implementar el servicio Azure OpenAI, las implementaciones de modelos y todos los recursos relacionados",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Uso de la autenticación de Microsoft Entra con identidad administrada en lugar de clave de API",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Evalúe el rendimiento/precisión del sistema con un conjunto de datos dorado conocido que tenga las entradas y las respuestas correctas. Aproveche las capacidades de PromptFlow para la evaluación.",
+            "waf": "Excelencia Operativa"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Evaluación del uso del modelo de rendimiento aprovisionado ",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Revisión e implementación de la seguridad del contenido de Azure AI",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Defina y evalúe el rendimiento del sistema en función de los tokens y la respuesta por minuto y alinee con los requisitos",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Mejore la latencia del sistema limitando el tamaño de los tokens, las opciones de transmisión",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Calcule las demandas de elasticidad para determinar la segregación de solicitudes sincrónicas y por lotes en función de la prioridad. Para la prioridad alta, utilice el enfoque sincrónico y para la prioridad baja, se prefiere el procesamiento por lotes asincrónico con cola",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Compare los requisitos de consumo de tokens en función de las demandas estimadas de los consumidores. Considere la posibilidad de usar la herramienta de pruebas comparativas de Azure OpenAI para ayudarle a validar el rendimiento si usa implementaciones de unidades de rendimiento aprovisionadas",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Si usa unidades de rendimiento aprovisionadas (PTU), considere la posibilidad de implementar una implementación de token por minuto (TPM) para las solicitudes de desbordamiento. Use una puerta de enlace para enrutar las solicitudes a la implementación de TPM cuando se alcancen los límites de PTU.",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Elija el modelo adecuado para la tarea correcta. Elija modelos con el equilibrio adecuado entre velocidad, calidad de respuesta y complejidad de salida",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Tener una línea de base para el rendimiento sin ajuste fino para saber si el ajuste fino ha mejorado o no el rendimiento del modelo",
+            "waf": "Rendimiento"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "text": "Implementación de varias instancias de OAI en todas las regiones",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Implemente reintentos y comprobaciones de estado con el patrón de puerta de enlace como APIM",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Asegúrese de tener cuotas adecuadas de TPM y RPM para la carga de trabajo",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Revise las consideraciones de la guía del kit de herramientas de HAI y aplique esas prácticas de interacción para el slution",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Implemente modelos de ajuste de precisión independientes en todas las regiones si se emplea el ajuste de precisión",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Realice copias de seguridad y replique regularmente los datos críticos para garantizar la disponibilidad y la capacidad de recuperación de los datos en caso de pérdida de datos o fallos del sistema. Aproveche los servicios de copia de seguridad y recuperación ante desastres de Azure para proteger sus datos.",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Los niveles de servicio de búsqueda de Azure AI deben elegirse para tener un Acuerdo de Nivel de Servicio ",
+            "waf": "Fiabilidad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "text": "Clasifique los datos y la confidencialidad, etiquetando con Microsoft Purview antes de generar las incrustaciones y asegúrese de tratar las incrustaciones generadas con la misma confidencialidad y clasificación",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Cifre los datos utilizados para RAG con cifrado SSE/Disk con BYOK opcional",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Asegúrese de que TLS se aplica a los datos en tránsito a través de fuentes de datos, la búsqueda de IA utilizada para la generación aumentada de recuperación (RAG) y la comunicación de LLM",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Use RBAC para administrar el acceso a los servicios de Azure OpenAI. Asigne los permisos adecuados a los usuarios y restrinja el acceso en función de sus funciones y responsabilidades",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Implemente técnicas de cifrado, enmascaramiento o redacción de datos para ocultar datos confidenciales o reemplazarlos con valores ofuscados en entornos que no sean de producción o al compartir datos con fines de prueba o solución de problemas",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Use Azure Defender para detectar y responder a las amenazas de seguridad y configurar mecanismos de supervisión y alerta para identificar actividades sospechosas o infracciones. Aproveche Azure Sentinel para la detección y respuesta a amenazas avanzadas",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Establezca políticas de retención y eliminación de datos para cumplir con las regulaciones de cumplimiento. Implemente métodos de eliminación seguros para los datos que ya no son necesarios y mantenga un registro de auditoría de las actividades de retención y eliminación de datos",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Implemente los escudos de aviso y la detección de conexión a tierra mediante Content Safety ",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Garantice el cumplimiento de las normativas de protección de datos pertinentes, como el RGPD o la HIPAA, mediante la implementación de controles de privacidad y la obtención de los consentimientos o permisos necesarios para las actividades de tratamiento de datos.",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Eduque a sus empleados sobre las mejores prácticas de seguridad de datos, la importancia de manejar los datos de forma segura y los riesgos potenciales asociados con las violaciones de datos. Anímelos a seguir diligentemente los protocolos de seguridad de datos.",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Mantenga los datos de producción separados de los datos de desarrollo y pruebas. Utilice únicamente datos confidenciales reales en producción y utilice datos anónimos o sintéticos en entornos de desarrollo y prueba.",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Si tiene distintos niveles de confidencialidad de datos, considere la posibilidad de crear índices independientes para cada nivel. Por ejemplo, podría tener un índice para los datos generales y otro para los datos confidenciales, cada uno gobernado por diferentes protocolos de acceso",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Lleve la segregación un paso más allá colocando conjuntos de datos confidenciales en diferentes instancias del servicio. Cada instancia se puede controlar con su propio conjunto específico de políticas RBAC",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Reconozca que las incrustaciones y los vectores generados a partir de información confidencial son en sí mismos confidenciales. Estos datos deben recibir las mismas medidas de protección que el material de origen",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Aplique RBAC a los almacenes de datos que tienen incrustaciones y vectores y alcance el acceso en función de los requisitos de acceso del rol",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Configure un punto de conexión privado para que los servicios de IA restrinjan el acceso al servicio dentro de su red",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Aplique un estricto control del tráfico entrante y saliente con Azure Firewall y UDR, y limite los puntos de integración externos",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Implemente la segmentación de la red y los controles de acceso para restringir el acceso a la aplicación LLM solo a los usuarios y sistemas autorizados y evitar el movimiento lateral",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Utilice herramientas de compresión rápida como LLMLingua o gprtrim",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Asegúrese de que las API y los puntos finales utilizados por la aplicación LLM estén correctamente protegidos con mecanismos de autenticación y autorización, como identidades administradas, claves de API u OAuth, para evitar el acceso no autorizado.",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Aplique mecanismos sólidos de autenticación de usuario final, como la autenticación multifactor, para evitar el acceso no autorizado a la aplicación LLM y a los recursos de red asociados",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Implemente herramientas de monitoreo de red para detectar y analizar el tráfico de red en busca de actividades sospechosas o maliciosas. Habilite el registro para capturar eventos de red y facilitar el análisis forense en caso de incidentes de seguridad",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Realizar auditorías de seguridad y pruebas de penetración para identificar y abordar cualquier debilidad o vulnerabilidad de seguridad de red en la infraestructura de red de la aplicación LLM",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "text": "Los servicios de Azure AI están etiquetados correctamente para una mejor administración",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "Bajo",
+            "text": "Las cuentas de Azure AI Service siguen las convenciones de nomenclatura de la organización",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Los registros de diagnóstico en los recursos de servicios de Azure AI deben estar habilitados",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Se recomienda deshabilitar el acceso a claves (autenticación local) por seguridad.  Después de deshabilitar el acceso basado en claves, el identificador de Microsoft Entra se convierte en el único método de acceso, lo que permite mantener el principio de privilegio mínimo y el control granular. ",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Almacene y administre claves de forma segura con Azure Key Vault. Evite codificar de forma rígida o incrustar claves confidenciales en el código de la aplicación de LLM y recupérelas de forma segura de Azure Key Vault mediante identidades administradas",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Rotar y expirar periódicamente las claves almacenadas en Azure Key Vault para minimizar el riesgo de acceso no autorizado.",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Use tiktoken para comprender los tamaños de los tokens para las optimizaciones de tokens en el modo conversacional",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Siga prácticas de codificación seguras para evitar vulnerabilidades comunes, como ataques de inyección, secuencias de comandos entre sitios (XSS) o errores de configuración de seguridad.",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Configurar un proceso para actualizar y parchear regularmente las bibliotecas de LLM y otros componentes del sistema",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Cumplir con los términos de uso, las directivas y las directrices de Azure OpenAI u otros LLM, así como con los casos de uso permitidos.",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Comprenda la diferencia en el costo de los modelos base y los modelos ajustados y los tamaños de paso de token",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Solicitudes por lotes, siempre que sea posible, para minimizar la sobrecarga por llamada, lo que puede reducir los costos generales. Asegúrese de optimizar el tamaño del lote",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Configure un sistema de seguimiento de costos que supervise el uso del modelo y use esa información para ayudar a informar las opciones de modelos y los tamaños indicados",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Establezca un límite máximo en el número de tokens por respuesta de modelo. Optimice el tamaño para asegurarse de que sea lo suficientemente grande para una respuesta válida",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Revise las instrucciones proporcionadas sobre la configuración de la búsqueda de IA para la confiabilidad",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Planifique y administre el almacenamiento de vectores de búsqueda de IA",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Aplique prácticas de LLMOps para automatizar la gestión del ciclo de vida de sus aplicaciones GenAI",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Evalúe el uso de los modelos de facturación: PAYG frente a PTU",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Evalúe la calidad de los mensajes y las aplicaciones al cambiar entre versiones de modelo",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Evalúe, supervise y perfeccione sus aplicaciones GenAI para características como la fundamentación, la relevancia, la precisión, la coherencia, la fluidez,",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Evalúe los resultados de búsqueda de Azure AI en función de diferentes parámetros de búsqueda",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Considere los modelos de ajuste fino como una forma de aumentar la precisión solo cuando haya probado otros enfoques básicos como la ingeniería de avisos y RAG con sus datos",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Utilice técnicas de ingeniería rápida para mejorar la precisión de las respuestas de LLM",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Equipo rojo con sus aplicaciones GenAI",
+            "waf": "Seguridad"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Proporcione a los usuarios finales opciones de puntuación para las respuestas de LLM y realice un seguimiento de estas puntuaciones. ",
+            "waf": "Excelencia Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Considere las prácticas de administración de cuotas",
+            "waf": "Optimización de costes"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "Medio",
+            "text": "Utilice soluciones de equilibrador de carga, como la puerta de enlace basada en APIM, para equilibrar la carga y la capacidad entre servicios y regiones",
+            "waf": "Excelencia Operacional"
+        },
         {
             "arm-service": "Microsoft.Web/sites",
             "checklist": "Azure Function Review",
@@ -8240,7 +8990,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.ja.json b/checklists/waf_checklist.ja.json
index 732ff91b7..6d6dafda7 100644
--- a/checklists/waf_checklist.ja.json
+++ b/checklists/waf_checklist.ja.json
@@ -2557,6 +2557,756 @@
             "text": "リージョン間の DR シナリオでのデータイン レプリケーションの活用",
             "waf": "確実"
         },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "共鳴可能なAIのためのメタプロンプトガードレールに従う",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "APIM や AI Central などのソリューションを使用したゲートウェイ パターンを検討して、レート制限、負荷分散、認証、ログ記録を改善します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "AOAI インスタンスの監視を有効にする",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "リソースに対して実行されたアクション (サブスクリプション キーの再生成など) によって作成されたアクティビティ ログのエントリや、1 時間に 10 を超えるエラー数などのメトリックしきい値によって作成されたアクティビティ ログのエントリなど、イベントを通知するアラートを作成します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "トークンの使用状況を監視して、容量によるサービスの中断を防ぎます",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "処理された推論トークン、生成された完了トークンなどのメトリックを観察し、レート制限を監視します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "text": "診断が十分でない場合は、Azure OpenAI の前で Azure API Management などのゲートウェイを使用して、受信プロンプトと送信応答の両方をログに記録することを検討してください (許可されている場合)",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "コードとしてのインフラストラクチャを使用して、Azure OpenAI Service、モデル デプロイ、およびすべての関連リソースをデプロイします",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "API キーの代わりにマネージド ID で Microsoft Entra 認証を使用する",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "入力と正しい答えを持つ既知のゴールデンデータセットを使用して、システムのパフォーマンス/精度を評価します。PromptFlowの機能を評価に活用します。",
+            "waf": "運用上のエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "プロビジョニング済みスループットモデルの使用状況の評価",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure AI コンテンツの安全性を確認して実装する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "トークンと1分あたりのレスポンスに基づいてシステムのスループットを定義および評価し、要件に合わせます",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "トークンサイズ、ストリーミングオプションを制限することにより、システムのレイテンシーを改善します",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "弾力性の要求を見積もり、優先順位に基づいて同期要求とバッチ要求の分離を決定します。優先度が高い場合は同期アプローチを使用し、優先度が低い場合はキューを使用した非同期バッチ処理が推奨されます",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "消費者からの推定需要に基づくトークン消費要件のベンチマーク。プロビジョニングされたスループット ユニットのデプロイを使用している場合は、Azure OpenAI ベンチマーク ツールを使用してスループットを検証することを検討してください",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "プロビジョニングされたスループットユニット (PTU) を使用している場合は、オーバーフローリクエストに対して Token-Per Minute (TPM) デプロイメントをデプロイすることを検討してください。ゲートウェイを使用して、PTU の制限に達したときに要求を TPM デプロイにルーティングします。",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "適切なタスクに適したモデルを選択してください。速度、応答の品質、出力の複雑さの間で適切なトレードオフを持つモデルを選択する",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "微調整によってモデルのパフォーマンスが向上したかどうかを知るための微調整を行わずに、パフォーマンスのベースラインを設定する",
+            "waf": "パフォーマンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "text": "複数のOAIインスタンスを複数のリージョンにデプロイする",
+            "waf": "確実"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "APIM のようなゲートウェイ パターンを使用した再試行とヘルスチェックの実装",
+            "waf": "確実"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "ワークロードに対してTPMとRPMの適切なクォータがあることを確認します",
+            "waf": "確実"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "HAIツールキットガイダンスの考慮事項を確認し、それらの相互作用の実践をslutionに適用します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "ファインチューニングが採用されている場合は、リージョン間で個別の微調整モデルをデプロイします",
+            "waf": "確実"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "重要なデータを定期的にバックアップおよびレプリケートして、データの損失やシステム障害が発生した場合のデータの可用性と回復性を確保します。Azure のバックアップおよびディザスター リカバリー サービスを活用して、データを保護します。",
+            "waf": "確実"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure AI Search サービス レベルは、SLA を持つために選択する必要があります",
+            "waf": "確実"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "text": "データと機密性を分類し、埋め込みを生成する前に Microsoft Purview でラベル付けし、生成された埋め込みを同じ感度と分類で処理するようにしてください",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "SSE/ディスク暗号化(オプションのBYOKを使用)を使用してRAGに使用されるデータを暗号化",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "データソース間で転送されるデータ、Retrieval-Augmented Generation(RAG)およびLLM通信に使用されるAI検索にTLSが適用されていることを確認します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "RBAC を使用して、Azure OpenAI サービスへのアクセスを管理します。ユーザーに適切な権限を割り当て、ユーザーの役割と責任に基づいてアクセスを制限します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "データの暗号化、マスキング、または編集技術を実装して、機密データを非表示にしたり、非本番環境で難読化された値に置き換えたり、テストやトラブルシューティングの目的でデータを共有する場合",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure Defender を利用して、セキュリティの脅威を検出して対応し、監視とアラートのメカニズムを設定して、疑わしいアクティビティや侵害を特定します。Azure Sentinel を活用して高度な脅威の検出と対応を実現",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "コンプライアンス規制を遵守するためのデータ保持および廃棄ポリシーを確立します。不要になったデータに対して安全な削除方法を実装し、データの保持と廃棄活動の監査証跡を維持します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Content Safety を使用した Prompt シールドと接地検出の実装",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "GDPRやHIPAAなどの関連するデータ保護規制への準拠を確保するには、プライバシー制御を実装し、データ処理活動に必要な同意または許可を取得します。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "データセキュリティのベストプラクティス、データの安全な取り扱いの重要性、データ侵害に関連する潜在的なリスクについて、従業員を教育します。データセキュリティプロトコルに熱心に従うように促します。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "運用データを開発データやテストデータから分離します。本番環境では実際の機密データのみを使用し、開発環境やテスト環境では匿名化されたデータや合成データを利用します。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "データの機密性のレベルが異なる場合は、レベルごとに個別のインデックスを作成することを検討してください。たとえば、一般的なデータ用に 1 つのインデックスを作成し、機密データ用に別のインデックスを作成し、それぞれ異なるアクセス プロトコルで管理することができます",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "分離をさらに一歩進めて、機密性の高いデータセットをサービスの異なるインスタンスに配置します。各インスタンスは、独自のRBACポリシーのセットで制御できます",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "機密情報から生成された埋め込みとベクトルは、それ自体が機密性が高いことを認識します。このデータには、ソースマテリアルと同じ保護対策を提供する必要があります",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "埋め込みとベクトルを持つデータストアに RBAC を適用し、ロールのアクセス要件に基づいてアクセスのスコープを設定します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "AI サービスのプライベート エンドポイントを構成して、ネットワーク内のサービス アクセスを制限します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure Firewall と UDR を使用して受信と送信のトラフィック制御を厳密に適用し、外部統合ポイントを制限します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "ネットワークのセグメンテーションとアクセス制御を実装して、LLMアプリケーションへのアクセスを許可されたユーザーとシステムのみに制限し、横方向の移動を防ぎます",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "LLMLingua や gprtrim などのプロンプト圧縮ツールを使用します",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "LLM アプリケーションで使用される API とエンドポイントが、マネージド ID、API キー、OAuth などの認証および承認メカニズムで適切に保護され、不正アクセスを防止します。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "多要素認証などの強力なエンドユーザー認証メカニズムを適用して、LLMアプリケーションおよび関連するネットワークリソースへの不正アクセスを防止します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "ネットワーク監視ツールを実装して、疑わしいアクティビティや悪意のあるアクティビティのネットワークトラフィックを検出および分析します。ロギングを有効にしてネットワークイベントをキャプチャし、セキュリティインシデントが発生した場合のフォレンジック分析を容易にします",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "セキュリティ監査と侵入テストを実施して、LLMアプリケーションのネットワークインフラストラクチャのネットワークセキュリティの弱点または脆弱性を特定して対処します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "text": "Azure AI Services は、管理を改善するために適切にタグ付けされています",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "低い",
+            "text": "Azure AI Service アカウントは、組織の名前付け規則に従います",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure AI サービス リソースの診断ログを有効にする必要がある",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "セキュリティのため、キーアクセス(ローカル認証)を無効にすることをお勧めします。 キーベースのアクセスを無効にすると、Microsoft Entra IDが唯一のアクセス方法になり、最小限の特権原則ときめ細かな制御を維持できます。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure Key Vault を使用して、キーを安全に保存および管理します。LLM アプリケーションのコード内で機密性の高いキーをハードコーディングしたり埋め込んだりすることを避け、マネージド ID を使用して Azure Key Vault から安全に取得します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure Key Vault に格納されているキーを定期的にローテーションして期限切れにすることで、不正アクセスのリスクを最小限に抑えます。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "tiktokenを使用して、会話モードでのトークン最適化のためのトークンサイズを理解します",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "安全なコーディング手法に従って、インジェクション攻撃、クロスサイトスクリプティング(XSS)、セキュリティ設定の誤りなどの一般的な脆弱性を防止します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "LLM ライブラリとその他のシステム コンポーネントを定期的に更新し、パッチを適用するプロセスを設定します",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "Azure OpenAI またはその他の LLM の利用規約、ポリシー、ガイダンス、および許可されたユース ケースを順守する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "基本モデルと微調整されたモデルおよびトークンのステップサイズのコストの違いを理解する",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "可能であれば、呼び出しごとのオーバーヘッドを最小限に抑え、全体的なコストを削減できるバッチ要求。バッチサイズを確実に最適化する",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "モデルの使用状況を監視するコスト追跡システムを設定し、その情報を使用してモデルの選択とプロンプトのサイズを通知します",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "モデル応答あたりのトークン数に上限を設定します。サイズを最適化して、有効な応答に十分な大きさになるようにします",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "信頼性のための AI 検索の設定に関するガイダンスを確認します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "AI Search Vector ストレージの計画と管理",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "LLMOpsプラクティスを適用して、GenAIアプリケーションのライフサイクル管理を自動化します",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "請求モデルの使用状況の評価 - PAYG と PTU の比較",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "モデルバージョンを切り替える際のプロンプトとアプリケーションの品質を評価する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "GenAIアプリを評価、監視、改良して、接地性、関連性、精度、一貫性、流暢さなどの機能を確認します。",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "さまざまな検索パラメーターに基づいて Azure AI Search の結果を評価する",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "精度を向上させる方法としてモデルの微調整を検討するのは、データを使用してプロンプトエンジニアリングやRAGなどの他の基本的なアプローチを試した場合のみです",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "プロンプトエンジニアリング手法を使用して、LLM応答の精度を向上させる",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "GenAIアプリケーションをレッドチーム化",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "エンドユーザーにLLM応答のスコアリングオプションを提供し、これらのスコアを追跡します。",
+            "waf": "オペレーショナルエクセレンス"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "高い",
+            "text": "クォータ管理の実践を検討する",
+            "waf": "コストの最適化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "中程度",
+            "text": "APIM ベースのゲートウェイなどのロード バランサー ソリューションを使用して、サービスやリージョン間で負荷と容量を分散します",
+            "waf": "オペレーショナルエクセレンス"
+        },
         {
             "checklist": "SAP Checklist",
             "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
@@ -8240,7 +8990,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.ko.json b/checklists/waf_checklist.ko.json
index 9a0b34bf6..58bb5be8f 100644
--- a/checklists/waf_checklist.ko.json
+++ b/checklists/waf_checklist.ko.json
@@ -3284,6 +3284,756 @@
             "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
             "waf": "작업"
         },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "공명형 AI를 위한 Metaprompting 가드레일 따르기",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "더 나은 속도 제한, 부하 분산, 인증 및 로깅을 위해 APIM 또는 AI Central과 같은 솔루션을 사용하여 게이트웨이 패턴을 고려합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "AOAI 인스턴스에 대한 모니터링 활성화",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "리소스에 대해 수행된 작업(예: 구독 키 다시 생성) 또는 메트릭 임계값(예: 한 시간에 10을 초과하는 오류 수)에 의해 생성된 활동 로그의 항목과 같은 이벤트를 팀에 알리는 경고를 만듭니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "용량으로 인한 서비스 중단을 방지하기 위해 토큰 사용량을 모니터링합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "처리된 추론 토큰, 생성된 완료 토큰, 속도 제한 모니터링과 같은 메트릭 관찰",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "text": "진단이 충분하지 않은 경우 Azure OpenAI 앞에 있는 Azure API Managements와 같은 게이트웨이를 사용하여 허용되는 경우 들어오는 프롬프트와 나가는 응답을 모두 기록하는 것이 좋습니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Infrastructure as code를 사용하여 Azure OpenAI Service, 모델 배포 및 모든 관련 리소스를 배포합니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "API 키 대신 관리 ID로 Microsoft Entra 인증 사용",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "입력과 정답이 있는 알려진 골든 데이터 세트를 사용하여 시스템의 성능/정확도를 평가합니다. 평가를 위해 PromptFlow의 기능을 활용합니다.",
+            "waf": "운영 엑셀런스"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "프로비저닝된 처리량 모델의 사용 평가 ",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure AI 콘텐츠 안전성 검토 및 구현",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "분당 토큰 및 응답을 기반으로 시스템의 처리량을 정의 및 평가하고 요구 사항에 맞춥니다.",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "토큰 크기, 스트리밍 옵션을 제한하여 시스템의 대기 시간을 개선합니다.",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "탄력성 요구를 예측하여 우선 순위에 따라 동기 및 일괄 처리 요청 분리를 결정합니다. 우선 순위가 높은 경우 동기 접근 방식을 사용하고 낮은 우선 순위의 경우 큐를 사용한 비동기 일괄 처리가 선호됩니다",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "소비자의 예상 수요를 기반으로 토큰 사용 요구 사항을 벤치마킹합니다. 프로비저닝된 처리량 단위 배포를 사용하는 경우 처리량의 유효성을 검사하는 데 도움이 되도록 Azure OpenAI 벤치마킹 도구를 사용하는 것이 좋습니다",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "PTU(프로비저닝된 처리량 단위)를 사용하는 경우 오버플로 요청에 대한 TPM(분당 토큰) 배포를 배포하는 것이 좋습니다. 게이트웨이를 사용하여 PTU 제한에 도달할 때 TPM 배포로 요청을 라우팅합니다.",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "올바른 작업에 적합한 모델을 선택하십시오. 속도, 응답 품질 및 출력 복잡성 간에 적절한 절충점이 있는 모델 선택",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "미세 조정으로 모델 성능이 향상되었는지 여부를 파악하기 위해 미세 조정 없이 성능에 대한 기준이 있습니다.",
+            "waf": "공연"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "text": "여러 지역에 여러 OAI 인스턴스 배포",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "APIM과 같은 게이트웨이 패턴을 사용하여 재시도 및 상태 확인 구현Implement retry & healthchecks with gateway pattern like APIM",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "워크로드에 대한 TPM 및 RPM의 적절한 할당량이 있는지 확인합니다.",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "HAI 도구 키트 지침의 고려 사항을 검토하고 slution에 대한 이러한 상호 작용 방법을 적용합니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "미세 조정이 사용되는 경우 지역 간에 별도의 미세 조정된 모델을 배포합니다.",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "중요한 데이터를 정기적으로 백업 및 복제하여 데이터 손실 또는 시스템 장애 발생 시 데이터 가용성과 복구 가능성을 보장합니다. Azure의 백업 및 재해 복구 서비스를 활용하여 데이터를 보호하세요.",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "SLA를 갖도록 Azure AI 검색 서비스 계층을 선택해야 합니다. ",
+            "waf": "신뢰도"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "text": "임베딩을 생성하기 전에 데이터 및 민감도를 분류하고 Microsoft Purview를 사용하여 레이블을 지정하고 생성된 임베딩을 동일한 민감도 및 분류로 처리해야 합니다",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "BYOK(옵션)를 사용한 SSE/디스크 암호화로 RAG에 사용되는 데이터 암호화",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "데이터 소스 간 전송 중인 데이터, RAG(Retrieval-Augmented Generation) 및 LLM 통신에 사용되는 AI 검색에 TLS가 적용되는지 확인합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "RBAC를 사용하여 Azure OpenAI 서비스에 대한 액세스를 관리합니다. 사용자에게 적절한 권한을 할당하고 사용자의 역할과 책임에 따라 액세스를 제한합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "데이터 암호화, 마스킹 또는 수정 기술을 구현하여 비프로덕션 환경에서 또는 테스트 또는 문제 해결을 위해 데이터를 공유할 때 민감한 데이터를 숨기거나 난독화된 값으로 대체합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure Defender를 활용하여 보안 위협을 탐지 및 대응하고 의심스러운 활동 또는 위반을 식별하기 위한 모니터링 및 경고 메커니즘을 설정합니다. 고급 위협 탐지 및 대응을 위해 Azure Sentinel 활용",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "규정 준수 규정을 준수하기 위해 데이터 보존 및 폐기 정책을 수립합니다. 더 이상 필요하지 않은 데이터에 대한 안전한 삭제 방법을 구현하고 데이터 보존 및 폐기 활동에 대한 감사 추적을 유지 관리합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Content Safety를 사용하여 Prompt shields 및 groundedness detection 구현 ",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "개인 정보 보호 제어를 구현하고 데이터 처리 활동에 필요한 동의 또는 권한을 얻어 GDPR 또는 HIPAA와 같은 관련 데이터 보호 규정을 준수하도록 합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "데이터 보안 모범 사례, 데이터 안전한 처리의 중요성, 데이터 침해와 관련된 잠재적 위험에 대해 직원을 교육합니다. 데이터 보안 프로토콜을 성실히 따르도록 권장합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "생산 데이터를 개발 및 테스트 데이터와 분리합니다. 프로덕션에서는 실제 민감한 데이터만 사용하고 개발 및 테스트 환경에서는 익명 또는 합성 데이터를 활용합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "데이터 민감도 수준이 다양하다면 각 수준에 대해 별도의 인덱스를 만드는 것이 좋습니다. 예를 들어, 일반 데이터에 대한 인덱스와 민감한 데이터에 대한 인덱스가 있을 수 있으며, 각각 다른 액세스 프로토콜에 의해 제어됩니다",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "한 단계 더 나아가 중요한 데이터 세트를 서비스의 다른 인스턴스에 배치합니다. 각 인스턴스는 고유한 특정 RBAC 정책 집합으로 제어할 수 있습니다",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "민감한 정보에서 생성된 임베딩과 벡터는 그 자체로 민감하다는 점을 인식해야 합니다. 이 데이터에는 원본 자료와 동일한 보호 조치가 제공되어야 합니다",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "임베딩 및 벡터가 있는 데이터 저장소에 RBAC를 적용하고 역할의 액세스 요구 사항에 따라 액세스 범위를 지정합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "AI 서비스에 대한 프라이빗 엔드포인트를 구성하여 네트워크 내 서비스 액세스를 제한합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure Firewall 및 UDR을 사용하여 엄격한 인바운드 및 아웃바운드 트래픽 제어를 적용하고 외부 통합 지점을 제한합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "네트워크 세분화 및 액세스 제어를 구현하여 LLM 애플리케이션에 대한 액세스를 인증된 사용자 및 시스템으로만 제한하고 측면 이동을 방지합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "LLMLingua 또는 gprtrim과 같은 프롬프트 압축 도구 사용",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "LLM 애플리케이션에서 사용하는 API 및 엔드포인트가 관리 ID, API 키 또는 OAuth와 같은 인증 및 권한 부여 메커니즘으로 적절하게 보호되어 무단 액세스를 방지해야 합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "다단계 인증(multi-factor authentication)과 같은 강력한 최종 사용자 인증 메커니즘을 적용하여 LLM 애플리케이션 및 관련 네트워크 리소스에 대한 무단 액세스를 방지합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "네트워크 모니터링 도구를 구현하여 의심스럽거나 악의적인 활동에 대한 네트워크 트래픽을 탐지하고 분석합니다. 로깅을 활성화하여 네트워크 이벤트를 캡처하고 보안 사고 발생 시 포렌식 분석을 용이하게 합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "보안 감사 및 침투 테스트를 수행하여 LLM 애플리케이션의 네트워크 인프라에서 네트워크 보안 약점 또는 취약성을 식별하고 해결합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "text": "Azure AI 서비스는 더 나은 관리를 위해 적절하게 태그가 지정됩니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "낮다",
+            "text": "Azure AI Service 계정은 조직의 명명 규칙을 따릅니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure AI Services 리소스의 진단 로그를 사용하도록 설정해야 함",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "키 액세스(로컬 인증)는 보안을 위해 사용하지 않도록 설정하는 것이 좋습니다.  키 기반 액세스를 사용하지 않도록 설정하면 Microsoft Entra ID가 유일한 액세스 방법이 되어 최소 권한 원칙과 세분화된 제어를 유지할 수 있습니다. ",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure Key Vault를 사용하여 키를 안전하게 저장하고 관리하세요. LLM 애플리케이션의 코드 내에 중요한 키를 하드 코딩하거나 포함하지 않도록 하고 관리 ID를 사용하여 Azure Key Vault에서 안전하게 검색합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure Key Vault에 저장된 키를 정기적으로 회전하고 만료하여 무단 액세스의 위험을 최소화합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "tiktoken을 사용하여 대화 모드에서 토큰 최적화를 위한 토큰 크기 이해",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "보안 코딩 관행에 따라 주입 공격, XSS(교차 사이트 스크립팅) 또는 보안 구성 오류와 같은 일반적인 취약성을 방지합니다",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "LLM 라이브러리와 다른 시스템 컴포넌트를 정기적으로 업데이트하고 패치하는 프로세스를 설정합니다.",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "Azure OpenAI 또는 기타 LLM 사용 약관, 정책 및 지침, 허용되는 사용 사례 준수",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "기본 모델과 미세 조정된 모델 및 토큰 단계 크기의 비용 차이를 이해합니다.",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "가능한 경우 호출당 오버헤드를 최소화하여 전체 비용을 줄일 수 있는 일괄 처리 요청. 배치 크기를 최적화해야 합니다.",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "모델 사용을 모니터링하는 비용 추적 시스템을 설정하고 해당 정보를 사용하여 모델 선택 및 프롬프트 크기를 알립니다",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "모델 응답당 토큰 수에 대한 최대 제한을 설정합니다. 유효한 응답에 사용할 수 있을 만큼 충분히 큰지 확인하기 위해 크기를 최적화합니다",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "안정성을 위한 AI 검색 설정에 대해 제공된 지침을 검토합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "AI Search Vector 스토리지 계획 및 관리",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "LLMOps 사례를 적용하여 GenAI 애플리케이션의 라이프사이클 관리를 자동화합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "청구 모델 사용 평가 - PAYG 대 PTU",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "모델 버전 간에 전환할 때 프롬프트와 응용 프로그램의 품질을 평가합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "GenAI 앱을 평가, 모니터링 및 개선하여 근거, 관련성, 정확성, 일관성, 유창성 등의 기능을 제공합니다.",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "다양한 검색 매개 변수를 기반으로 Azure AI Search 결과를 평가합니다",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "데이터를 사용하여 프롬프트 엔지니어링 및 RAG와 같은 다른 기본 접근 방식을 시도한 경우에만 모델을 미세 조정하여 정확도를 높이는 방법으로 살펴보십시오",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "프롬프트 엔지니어링 기법을 사용하여 LLM 응답의 정확도 향상",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "GenAI 애플리케이션을 위한 레드 팀",
+            "waf": "안전"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "최종 사용자에게 LLM 응답에 대한 점수 매기기 옵션을 제공하고 이러한 점수를 추적합니다. ",
+            "waf": "운영 우수성"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "높다",
+            "text": "할당량 관리 방법 고려",
+            "waf": "비용 최적화"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "보통",
+            "text": "APIM 기반 게이트웨이와 같은 Load Balancer 솔루션을 사용하여 서비스 및 지역 간에 부하와 용량을 분산합니다",
+            "waf": "운영 우수성"
+        },
         {
             "arm-service": "Microsoft.DBforMySQL/servers",
             "checklist": "MySQL Review Checklist",
@@ -8240,7 +8990,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.pt.json b/checklists/waf_checklist.pt.json
index 2a776b7a5..1f82a0ce7 100644
--- a/checklists/waf_checklist.pt.json
+++ b/checklists/waf_checklist.pt.json
@@ -1,5 +1,755 @@
 {
     "items": [
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Siga as proteções do Metaprompting para uma IA razoável",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Considere padrões de gateway com APIM ou soluções como AI central para melhor limitação de taxa, balanceamento de carga, autenticação e registro",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Habilitar o monitoramento para suas instâncias AOAI",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Crie alertas para notificar as equipes sobre eventos, como uma entrada no log de atividades criada por uma ação executada no recurso, como regenerar suas chaves de assinatura ou um limite de métrica, como o número de erros que excedem 10 em uma hora",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Monitore o uso do token para evitar interrupções de serviço devido à capacidade",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Observe métricas como tokens de inferência processados, monitoramento de tokens de conclusão gerados para limite de taxa",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "text": "Se o diagnóstico não for suficiente para você, considere usar um gateway como o Gerenciamento de API do Azure na frente do Azure OpenAI para registrar prompts de entrada e respostas de saída, quando permitido",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Usar a infraestrutura como código para implantar o serviço OpenAI do Azure, implantações de modelo e todos os recursos relacionados",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Usar a autenticação do Microsoft Entra com identidade gerenciada em vez de chave de API",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Avalie o desempenho/precisão do sistema com um conjunto de dados dourado conhecido que tenha as entradas e as respostas corretas. Aproveite os recursos do PromptFlow para avaliação.",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Avaliar o uso do modelo de taxa de transferência provisionada ",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Examinar e implementar a segurança de conteúdo do Azure AI",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Defina e avalie a taxa de transferência do sistema com base em tokens e resposta por minuto e alinhe-se aos requisitos",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Melhore a latência do sistema limitando os tamanhos dos tokens, as opções de streaming",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Estime as demandas de elasticidade para determinar a segregação de solicitações síncronas e em lote com base na prioridade. Para alta prioridade, use a abordagem síncrona e, para baixa prioridade, o processamento em lote assíncrono com fila é preferível",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Compare os requisitos de consumo de token com base nas demandas estimadas dos consumidores. Considere usar a ferramenta de benchmarking OpenAI do Azure para ajudá-lo a validar a taxa de transferência se você estiver usando implantações de Unidade de Produtividade Provisionada",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Se você estiver usando PTUs (Unidades de Produtividade Provisionadas), considere implantar uma implantação de token por minuto (TPM) para solicitações de estouro. Use um gateway para rotear solicitações para a implantação do TPM quando os limites de PTU forem atingidos.",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Escolha o modelo certo para a tarefa certa. Escolha modelos com a compensação certa entre velocidade, qualidade de resposta e complexidade de saída",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Tenha uma linha de base para o desempenho sem ajuste fino para saber se o ajuste fino melhorou ou não o desempenho do modelo",
+            "waf": "Desempenho"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "text": "Implantar várias instâncias de OAI em regiões",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Implemente novas tentativas e verificações de integridade com o padrão de Gateway como APIM",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Garantir que tenha cotas adequadas de TPM e RPM para a carga de trabalho",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Revise as considerações nas diretrizes do kit de ferramentas HAI e aplique essas práticas de interação para a análise",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Implantar modelos ajustados separados entre regiões se o ajuste fino for empregado",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Faça backup e replique regularmente dados críticos para garantir a disponibilidade e a capacidade de recuperação dos dados em caso de perda de dados ou falhas do sistema. Aproveite os serviços de backup e recuperação de desastre do Azure para proteger seus dados.",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "As camadas de serviço de pesquisa de IA do Azure devem ser escolhidas para ter um SLA ",
+            "waf": "Fiabilidade"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "text": "Classifique os dados e a confidencialidade, rotulando com o Microsoft Purview antes de gerar as inserções e certifique-se de tratar as inserções geradas com a mesma confidencialidade e classificação",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Criptografar dados usados para RAG com criptografia SSE/Disco com BYOK opcional",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Certifique-se de que o TLS seja aplicado para dados em trânsito entre fontes de dados, pesquisa de IA usada para RG (Geração Aumentada por Recuperação) e comunicação LLM",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Use o RBAC para gerenciar o acesso aos serviços do OpenAI do Azure. Atribua permissões apropriadas aos usuários e restrinja o acesso com base em suas funções e responsabilidades",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Implemente técnicas de criptografia, mascaramento ou redação de dados para ocultar dados confidenciais ou substituí-los por valores ofuscados em ambientes de não produção ou ao compartilhar dados para fins de teste ou solução de problemas",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Utilize o Azure Defender para detectar e responder a ameaças de segurança e configurar mecanismos de monitoramento e alerta para identificar atividades suspeitas ou violações. Aproveite o Azure Sentinel para detecção e resposta avançadas a ameaças",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Estabeleça políticas de retenção e descarte de dados para cumprir os regulamentos de conformidade. Implemente métodos de exclusão segura para dados que não são mais necessários e mantenha uma trilha de auditoria das atividades de retenção e descarte de dados",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Implementar proteções imediatas e detecção de aterramento usando a Segurança de conteúdo ",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Garanta a conformidade com os regulamentos de proteção de dados relevantes, como GDPR ou HIPAA, implementando controles de privacidade e obtendo os consentimentos ou permissões necessários para atividades de processamento de dados.",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Eduque seus funcionários sobre as melhores práticas de segurança de dados, a importância de lidar com dados com segurança e os possíveis riscos associados a violações de dados. Incentive-os a seguir os protocolos de segurança de dados diligentemente.",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Mantenha os dados de produção separados dos dados de desenvolvimento e teste. Use apenas dados confidenciais reais na produção e utilize dados anônimos ou sintéticos em ambientes de desenvolvimento e teste.",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Se você tiver níveis variados de confidencialidade de dados, considere criar índices separados para cada nível. Por exemplo, você pode ter um índice para dados gerais e outro para dados confidenciais, cada um regido por diferentes protocolos de acesso",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Leve a segregação um passo adiante, colocando conjuntos de dados confidenciais em diferentes instâncias do serviço. Cada instância pode ser controlada com seu próprio conjunto específico de políticas RBAC",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Reconheça que incorporações e vetores gerados a partir de informações confidenciais são eles próprios sensíveis. Esses dados devem receber as mesmas medidas de proteção que o material de origem",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Aplique o RBAC aos armazenamentos de dados com incorporações e vetores e acesso ao escopo com base nos requisitos de acesso da função",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Configurar o ponto de extremidade privado para serviços de IA para restringir o acesso ao serviço em sua rede",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Imponha um controle estrito de tráfego de entrada e saída com o Firewall do Azure e UDRs e limite os pontos de integração externos",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Implemente segmentação de rede e controles de acesso para restringir o acesso ao aplicativo LLM apenas a usuários e sistemas autorizados e evitar movimentos laterais",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Use ferramentas de compactação imediatas como LLMLingua ou gprtrim",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Certifique-se de que as APIs e os endpoints usados pelo aplicativo LLM estejam devidamente protegidos com mecanismos de autenticação e autorização, como identidades gerenciadas, chaves de API ou OAuth, para impedir o acesso não autorizado.",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Aplique mecanismos fortes de autenticação do usuário final, como autenticação multifator, para impedir o acesso não autorizado ao aplicativo LLM e aos recursos de rede associados",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Implemente ferramentas de monitoramento de rede para detectar e analisar o tráfego de rede em busca de atividades suspeitas ou maliciosas. Habilite o registro para capturar eventos de rede e facilitar a análise forense em caso de incidentes de segurança",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Realize auditorias de segurança e testes de penetração para identificar e resolver quaisquer pontos fracos ou vulnerabilidades de segurança de rede na infraestrutura de rede do aplicativo LLM",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "text": "Os Serviços de IA do Azure são marcados corretamente para melhor gerenciamento",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "Baixo",
+            "text": "As contas do Serviço de IA do Azure seguem as convenções de nomenclatura organizacional",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Os logs de diagnóstico nos recursos de serviços de IA do Azure devem ser habilitados",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Recomenda-se que o acesso à chave (autenticação local) seja desabilitado por segurança.  Depois de desabilitar o acesso baseado em chave, o Microsoft Entra ID se torna o único método de acesso, o que permite manter o princípio de privilégio mínimo e o controle granular. ",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Armazene e gerencie chaves com segurança usando o Azure Key Vault. Evite codificar ou inserir chaves confidenciais no código do aplicativo LLM e recuperá-las com segurança do Azure Key Vault usando identidades gerenciadas",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Gire e expire regularmente as chaves armazenadas no Azure Key Vault para minimizar o risco de acesso não autorizado.",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Use tiktoken para entender os tamanhos de token para otimizações de token no modo de conversação",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Siga práticas de codificação segura para evitar vulnerabilidades comuns, como ataques de injeção, cross-site scripting (XSS) ou configurações incorretas de segurança",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Configure um processo para atualizar e corrigir regularmente as bibliotecas LLM e outros componentes do sistema",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Aderir aos termos de uso, políticas e diretrizes do Azure OpenAI ou de outros LLMs e casos de uso permitidos",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Entender a diferença no custo de modelos básicos e modelos ajustados e tamanhos de etapa de token",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Solicitações em lote, sempre que possível, para minimizar a sobrecarga por chamada, o que pode reduzir os custos gerais. Certifique-se de otimizar o tamanho do lote",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Configure um sistema de rastreamento de custos que monitore o uso do modelo e use essas informações para ajudar a informar as escolhas do modelo e solicitar tamanhos",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Defina um limite máximo para o número de tokens por resposta do modelo. Otimize o tamanho para garantir que seja grande o suficiente para uma resposta válida",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Examine as diretrizes fornecidas sobre como configurar a pesquisa de IA para confiabilidade",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Planejar e gerenciar o armazenamento de vetores do AI Search",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Aplique as práticas do LLMOps para automatizar o gerenciamento do ciclo de vida de seus aplicativos GenAI",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Avalie o uso de modelos de faturamento - PAYG vs PTU",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Avaliar a qualidade de prompts e aplicativos ao alternar entre versões de modelo",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Avalie, monitore e refine seus aplicativos GenAI para recursos como fundamentação, relevância, precisão, coerência, fluência,",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Avaliar os resultados do Azure AI Search com base em diferentes parâmetros de pesquisa",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Olhe para os modelos de ajuste fino como forma de aumentar a precisão somente quando você tiver tentado outras abordagens básicas, como engenharia rápida e RAG com seus dados",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Use técnicas de engenharia rápida para melhorar a precisão das respostas do LLM",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Equipe vermelha de seus aplicativos GenAI",
+            "waf": "Segurança"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Forneça aos usuários finais opções de pontuação para respostas LLM e acompanhe essas pontuações. ",
+            "waf": "Excelência Operacional"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "Alto",
+            "text": "Considere as práticas de gerenciamento de cotas",
+            "waf": "Otimização de custos"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "Média",
+            "text": "Use soluções de balanceador de carga, como gateway baseado em APIM, para balancear carga e capacidade entre serviços e regiões",
+            "waf": "Excelência Operacional"
+        },
         {
             "arm-service": "Microsoft.Storage/storageAccounts",
             "checklist": "Azure Blob Storage Review",
@@ -8240,7 +8990,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/checklists/waf_checklist.zh-Hant.json b/checklists/waf_checklist.zh-Hant.json
index 456e97734..741355831 100644
--- a/checklists/waf_checklist.zh-Hant.json
+++ b/checklists/waf_checklist.zh-Hant.json
@@ -6180,6 +6180,756 @@
             "text": "如果使用 Keyvault 集成，請使用 Keyvault 的 SLA 來瞭解可用性",
             "waf": "可靠性"
         },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "遵循 Metaprompting 護欄，實現 realible AI",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+            "link": "https://github.com/Azure-Samples/AI-Gateway",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "考慮使用APIM或 AI central 等解決方案的閘道模式，以實現更好的速率限制、負載均衡、身份驗證和日誌記錄",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "為您的 AOAI 實例啟用監控",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "建立警報以通知團隊有關事件的通知，例如由對資源執行的操作（例如重新生成其訂閱金閜）創建的活動日誌中的條目或指標閾值（例如一小時內超過 10 的錯誤數）",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "監控令牌使用方式，防止由於容量導致服務中斷",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "觀察已處理的推理令牌、生成的完成令牌等指標，監視速率限制",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+            "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "text": "如果診斷對你來說還不夠，請考慮在 Azure OpenAI 前面使用閘道（例如 Azure API 管理）來記錄傳入提示和傳出回應（如果允許）",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+            "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用基礎結構即代碼部署 Azure OpenAI 服務、模型部署和所有相關資源",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "將 Microsoft Entra 身份驗證與託管標識（而不是 API 金鑰）配合使用",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用已知的黃金數據集評估系統的性能/準確性，該數據集具有輸入和正確答案。利用 PromptFlow 中的功能進行評估。",
+            "waf": "卓越的運營執行力"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "68889535-e327-4897-b31b-67d67be5962a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "評估預配輸送量模型的使用方式",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "查看和實施 Azure AI 內容安全性",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "根據令牌數和每分鐘的回應來定義和評估系統的輸送量，並符合要求",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "通過限制令牌大小、流式處理選項來改善系統的延遲",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "估計彈性需求，以根據優先順序確定同步和批量請求分離。對於高優先順序，使用同步方法，對於低優先順序，首選使用佇列的異步批處理",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "根據消費者的估計需求對代幣消費要求進行基準測試。如果使用的是預設輸送量單元部署，請考慮使用 Azure OpenAI 基準測試工具來幫助驗證輸送量",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "如果您使用的是預設輸送量單位 （PTU），請考慮為溢出請求部署每分鐘令牌 （TPM） 部署。當達到 PTU 限制時，使用閘道將請求路由到 TPM 部署。",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "為正確的任務選擇正確的模型。選擇在速度、回應質量和輸出複雜性之間做出正確權衡的模型",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+            "link": "https://github.com/Azure/azure-openai-benchmark/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "有一個性能基線，而不進行微調，以瞭解微調是否提高了模型性能",
+            "waf": "性能"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "text": "跨區域部署多個 OAI 實例",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+            "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用閘道模式（如 APIM）實現重試和運行狀況檢查",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "確保為工作負載提供足夠的 TPM 和 RPM 配額",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+            "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "查看 HAI 工具包指南中的注意事項，並將這些交互實踐應用於 slution",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "如果採用微調，則跨區域部署單獨的微調模型",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+            "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "定期備份和複製關鍵數據，以確保數據丟失或系統故障時的數據可用性和可恢復性。利用 Azure 的備份和災難恢復服務來保護數據。",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+            "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "應選擇 Azure AI 搜索服務層級以具有 SLA",
+            "waf": "可靠性"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+            "link": "https://learn.microsoft.com/purview/purview",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "text": "對數據和敏感度進行分類，在生成嵌入之前使用 Microsoft Purview 進行標記，並確保以相同的敏感度和分類處理生成的嵌入",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用 SSE/磁碟加密和可選的 BYOK 加密來加密用於 RAG 的數據",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+            "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "確保對跨數據源傳輸的數據實施 TLS，用於檢索增強生成 （RAG） 和 LLM 通信的 AI 搜索",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用 RBAC 管理對 Azure OpenAI 服務的訪問。為使用者分配適當的許可權，並根據其角色和職責限制訪問許可權",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+            "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "實施數據加密、遮罩或編輯技術，以在非生產環境中或出於測試或故障排除目的共用數據時隱藏敏感數據或將其替換為混淆值",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "利用 Azure Defender 來檢測和回應安全威脅，並設置監視和警報機制來識別可疑活動或違規行為。利用 Azure Sentinel 進行高級威脅檢測和回應",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+            "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "制定數據保留和處置策略，以遵守合規性法規。對不再需要的數據實施安全刪除方法，並維護數據保留和處置活動的審計跟蹤",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+            "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用 Content Safety 實施 Prompt shields 和接地檢測",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+            "link": "https://learn.microsoft.com/azure/compliance/",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "通過實施隱私控制並獲得數據處理活動所需的同意或許可，確保遵守相關的數據保護法規，例如GDPR或HIPAA。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "對員工進行有關數據安全最佳實踐、安全處理數據的重要性以及與數據洩露相關的潛在風險的教育。鼓勵他們勤奮地遵循數據安全協定。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "將生產數據與開發和測試數據分開。僅在生產中使用真實的敏感數據，並在開發和測試環境中使用匿名或合成數據。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "如果您具有不同級別的數據敏感度，請考慮為每個級別創建單獨的索引。例如，您可以有一個用於常規數據的索引，另一個用於敏感數據的索引，每個索引都由不同的訪問協定管理",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "通過將敏感數據集放置在服務的不同實例中，進一步實現隔離。每個實例都可以使用其自己的特定 RBAC 策略集進行控制",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "認識到從敏感資訊生成的嵌入和向量本身就是敏感的。這些數據應得到與源材料相同的保護措施",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "將 RBAC 應用於具有嵌入和向量的數據存儲，並根據角色的訪問要求確定存取範圍",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "為 AI 服務配置專用終結點，以限制網路內的服務訪問",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用 Azure 防火牆和 UDR 強制實施嚴格的入站和出站流量控制，並限制外部集成點",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "實施網路分段和訪問控制，將 LLM 應用程式的存取限製為僅授權使用者和系統，並防止橫向行動",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+            "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "使用提示壓縮工具，如 LLMLingua 或 gprtrim",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "確保 LLM 應用程式使用的 API 和端點使用身份驗證和授權機制（例如託管標識、API 金鑰或 OAuth）得到適當保護，以防止未經授權的訪問。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+            "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "實施強大的最終使用者身份驗證機制，例如多因素身份驗證，以防止對 LLM 應用程式和相關網路資源的未經授權的訪問",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "實施網路監控工具，以檢測和分析網路流量中的任何可疑或惡意活動。啟用日誌記錄以捕獲網路事件，並在發生安全事件時促進取證分析",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "進行安全審計和滲透測試，以識別和解決LLM應用程式的網路基礎設施中的任何網路安全弱點或漏洞",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+            "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "text": "Azure AI 服務已正確標記，以便更好地管理",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+            "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+            "service": "Azure OpenAI",
+            "severity": "低",
+            "text": "Azure AI 服務帳戶遵循組織命名約定",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+            "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "應啟用 Azure AI 服務資源中的診斷日誌",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+            "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "為了安全起見，建議禁用密鑰訪問（本地身份驗證）。 禁用基於密鑰的訪問后，Microsoft Entra ID 將成為唯一的訪問方法，該方法允許保持最小許可權原則和精細控制。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用 Azure Key Vault 安全地存儲和管理密鑰。避免在 LLM 應用程式的代碼中硬編碼或嵌入敏感密鑰，並使用託管標識從 Azure Key Vault 中安全地檢索它們",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+            "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "定期輪換和過期存儲在 Azure Key Vault 中的密鑰，以最大程度地降低未經授權訪問的風險。",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+            "link": "https://github.com/openai/tiktoken",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "使用 tiktoken 了解對話模式下令牌優化的令牌大小",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+            "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "遵循安全編碼做法，以防止常見漏洞，例如注入攻擊、跨網站腳本 （XSS） 或安全配置錯誤",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+            "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "設置一個流程來定期更新和修補 LLM 庫和其他系統元件",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+            "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "遵守 Azure OpenAI 或其他 LLM 的使用條款、策略和指南以及允許的用例",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "了解基礎模型和微調模型的成本差異以及令牌步長",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "在可能的情況下，批量請求，以最大程度地減少每次調用的開銷，從而降低總體成本。確保優化批量大小",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "設置成本跟蹤系統，用於監視模型使用方式，並使用該資訊來説明通知模型選擇和提示大小",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "166cd072-af9b-4141-a898-a535e737897e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "為每個模型回應的令牌數設置最大限制。優化大小以確保其足夠大以實現有效的回應",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+            "link": "https://learn.microsoft.com/azure/search/search-reliability",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "查看提供的有關設置 AI 搜索以實現可靠性的指南",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+            "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "規劃和管理 AI 搜索向量存儲",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "應用 LLMOps 實踐來自動化 GenAI 應用程式的生命週期管理",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "評估計費模型的使用方式 - PAYG 與 PTU",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+            "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "在模型版本之間切換時評估提示和應用程式的品質",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+            "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "評估、監控和優化您的 GenAI 應用程式的特性，如接地氣、相關性、準確性、連貫性、流暢性、",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "294798b1-578b-4219-a46c-eb5443513592",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "根據不同的搜索參數評估 Azure AI 搜尋結果",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "只有在嘗試了其他基本方法（如提示工程和RAG處理數據）時，才將微調模型視為提高準確性的方法",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "使用提示工程技術來提高 LLM 回應的準確性",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+            "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "紅隊您的 GenAI 應用程式",
+            "waf": "安全"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+            "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "為最終使用者提供 LLM 回應的評分選項並跟蹤這些分數。",
+            "waf": "卓越運營"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+            "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+            "service": "Azure OpenAI",
+            "severity": "高",
+            "text": "考慮配額管理做法",
+            "waf": "成本優化"
+        },
+        {
+            "arm-service": "Microsoft.CognitiveServices/accounts",
+            "checklist": "Azure OpenAI Review",
+            "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+            "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+            "service": "Azure OpenAI",
+            "severity": "中等",
+            "text": "使用負載均衡器解決方案（如基於APIM的閘道）在服務和區域之間平衡負載和容量",
+            "waf": "卓越運營"
+        },
         {
             "arm-service": "microsoft.eventhub/namespaces",
             "checklist": "Azure Event Hub Review",
@@ -8240,7 +8990,7 @@
     ],
     "metadata": {
         "name": "WAF checklist",
-        "timestamp": "July 16, 2024"
+        "timestamp": "July 23, 2024"
     },
     "severities": [
         {
diff --git a/spreadsheet/macrofree/aoai_checklist.en.xlsx b/spreadsheet/macrofree/aoai_checklist.en.xlsx
new file mode 100644
index 000000000..9eb3fe5a1
Binary files /dev/null and b/spreadsheet/macrofree/aoai_checklist.en.xlsx differ
diff --git a/spreadsheet/macrofree/aoai_checklist.es.xlsx b/spreadsheet/macrofree/aoai_checklist.es.xlsx
new file mode 100644
index 000000000..c348d7244
Binary files /dev/null and b/spreadsheet/macrofree/aoai_checklist.es.xlsx differ
diff --git a/spreadsheet/macrofree/aoai_checklist.ja.xlsx b/spreadsheet/macrofree/aoai_checklist.ja.xlsx
new file mode 100644
index 000000000..e2b828a89
Binary files /dev/null and b/spreadsheet/macrofree/aoai_checklist.ja.xlsx differ
diff --git a/spreadsheet/macrofree/aoai_checklist.ko.xlsx b/spreadsheet/macrofree/aoai_checklist.ko.xlsx
new file mode 100644
index 000000000..9e89b19d9
Binary files /dev/null and b/spreadsheet/macrofree/aoai_checklist.ko.xlsx differ
diff --git a/spreadsheet/macrofree/aoai_checklist.pt.xlsx b/spreadsheet/macrofree/aoai_checklist.pt.xlsx
new file mode 100644
index 000000000..44efcd05e
Binary files /dev/null and b/spreadsheet/macrofree/aoai_checklist.pt.xlsx differ
diff --git a/spreadsheet/macrofree/aoai_checklist.zh-Hant.xlsx b/spreadsheet/macrofree/aoai_checklist.zh-Hant.xlsx
new file mode 100644
index 000000000..c5b6b30b9
Binary files /dev/null and b/spreadsheet/macrofree/aoai_checklist.zh-Hant.xlsx differ
diff --git a/spreadsheet/macrofree/checklist.en.master.xlsx b/spreadsheet/macrofree/checklist.en.master.xlsx
index 47d594c66..b13f9a3fa 100644
Binary files a/spreadsheet/macrofree/checklist.en.master.xlsx and b/spreadsheet/macrofree/checklist.en.master.xlsx differ
diff --git a/spreadsheet/macrofree/waf_checklist.en.xlsx b/spreadsheet/macrofree/waf_checklist.en.xlsx
index 5b099d5b7..9e8acfbec 100644
Binary files a/spreadsheet/macrofree/waf_checklist.en.xlsx and b/spreadsheet/macrofree/waf_checklist.en.xlsx differ
diff --git a/spreadsheet/macrofree/waf_checklist.es.xlsx b/spreadsheet/macrofree/waf_checklist.es.xlsx
index ee4529679..9748d9d7f 100644
Binary files a/spreadsheet/macrofree/waf_checklist.es.xlsx and b/spreadsheet/macrofree/waf_checklist.es.xlsx differ
diff --git a/spreadsheet/macrofree/waf_checklist.ja.xlsx b/spreadsheet/macrofree/waf_checklist.ja.xlsx
index e06fcc6a0..5a37fc9b7 100644
Binary files a/spreadsheet/macrofree/waf_checklist.ja.xlsx and b/spreadsheet/macrofree/waf_checklist.ja.xlsx differ
diff --git a/spreadsheet/macrofree/waf_checklist.ko.xlsx b/spreadsheet/macrofree/waf_checklist.ko.xlsx
index d1154f677..5bec80ec3 100644
Binary files a/spreadsheet/macrofree/waf_checklist.ko.xlsx and b/spreadsheet/macrofree/waf_checklist.ko.xlsx differ
diff --git a/spreadsheet/macrofree/waf_checklist.pt.xlsx b/spreadsheet/macrofree/waf_checklist.pt.xlsx
index d5109a626..c2c745cb1 100644
Binary files a/spreadsheet/macrofree/waf_checklist.pt.xlsx and b/spreadsheet/macrofree/waf_checklist.pt.xlsx differ
diff --git a/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx b/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx
index 28b3bdd11..4747d016b 100644
Binary files a/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx and b/spreadsheet/macrofree/waf_checklist.zh-Hant.xlsx differ
diff --git a/workbooks/alz_checklist.en_network_counters.json b/workbooks/alz_checklist.en_network_counters.json
index d10d32c10..7980e11b3 100644
--- a/workbooks/alz_checklist.en_network_counters.json
+++ b/workbooks/alz_checklist.en_network_counters.json
@@ -834,7 +834,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query4Stats:$.Success}+{Query5Stats:$.Success}"
+                                    "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}"
                                 }
                             }
                         ]
@@ -853,7 +853,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query4Stats:$.Total}+{Query5Stats:$.Total}"
+                                    "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}"
                                 }
                             }
                         ]
@@ -891,7 +891,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}"
+                                    "resultVal": "{Query6Stats:$.Success}"
                                 }
                             }
                         ]
@@ -910,7 +910,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}"
+                                    "resultVal": "{Query6Stats:$.Total}"
                                 }
                             }
                         ]
@@ -948,7 +948,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}"
+                                    "resultVal": "{Query24Stats:$.Success}"
                                 }
                             }
                         ]
@@ -967,7 +967,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}"
+                                    "resultVal": "{Query24Stats:$.Total}"
                                 }
                             }
                         ]
@@ -1005,7 +1005,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}"
+                                    "resultVal": "{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}"
                                 }
                             }
                         ]
@@ -1024,7 +1024,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}"
+                                    "resultVal": "{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}"
                                 }
                             }
                         ]
@@ -1062,7 +1062,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query20Stats:$.Success}"
+                                    "resultVal": "{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}"
                                 }
                             }
                         ]
@@ -1081,7 +1081,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query20Stats:$.Total}"
+                                    "resultVal": "{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}"
                                 }
                             }
                         ]
@@ -1119,7 +1119,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query24Stats:$.Success}"
+                                    "resultVal": "{Query20Stats:$.Success}"
                                 }
                             }
                         ]
@@ -1138,7 +1138,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query24Stats:$.Total}"
+                                    "resultVal": "{Query20Stats:$.Total}"
                                 }
                             }
                         ]
@@ -1176,7 +1176,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query6Stats:$.Success}"
+                                    "resultVal": "{Query4Stats:$.Success}+{Query5Stats:$.Success}"
                                 }
                             }
                         ]
@@ -1195,7 +1195,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query6Stats:$.Total}"
+                                    "resultVal": "{Query4Stats:$.Total}+{Query5Stats:$.Total}"
                                 }
                             }
                         ]
@@ -1233,7 +1233,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query20Stats:$.Total}+{Query24Stats:$.Total}+{Query6Stats:$.Total}"
+                                    "resultVal": "{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query6Stats:$.Total}+{Query24Stats:$.Total}+{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query20Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}"
                                 }
                             }
                         ]
@@ -1252,7 +1252,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query20Stats:$.Success}+{Query24Stats:$.Success}+{Query6Stats:$.Success}"
+                                    "resultVal": "{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query6Stats:$.Success}+{Query24Stats:$.Success}+{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query20Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}"
                                 }
                             }
                         ]
@@ -1326,7 +1326,7 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "987a70ea-a922-4df1-9bd9-d7ca2c8cf826",
+                        "id": "82abb386-cc34-4a70-a3a4-8af2e6d5a365",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
                         "linkLabel": "Hybrid ({Tab0Success:value}/{Tab0Total:value})",
@@ -1335,66 +1335,66 @@
                         "style": "primary"
                     },
                     {
-                        "id": "0802a5dc-d49f-42da-854b-b12843fc171b",
+                        "id": "b69cc8bc-ea9c-4383-8649-d625886b1846",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "IP plan ({Tab1Success:value}/{Tab1Total:value})",
+                        "linkLabel": "Hub and spoke ({Tab1Success:value}/{Tab1Total:value})",
                         "subTarget": "tab1",
-                        "preText": "IP plan",
+                        "preText": "Hub and spoke",
                         "style": "primary"
                     },
                     {
-                        "id": "b7f9f236-b1f2-4f7d-ba82-098cd445f385",
+                        "id": "fd818add-44fc-4f5f-97eb-8de0f5ed2b3a",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Hub and spoke ({Tab2Success:value}/{Tab2Total:value})",
+                        "linkLabel": "Internet ({Tab2Success:value}/{Tab2Total:value})",
                         "subTarget": "tab2",
-                        "preText": "Hub and spoke",
+                        "preText": "Internet",
                         "style": "primary"
                     },
                     {
-                        "id": "0e47aaab-523b-4632-b2b1-043a83cb3d59",
+                        "id": "c535ea54-1453-4d8e-aced-b9ae60232c65",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Segmentation ({Tab3Success:value}/{Tab3Total:value})",
+                        "linkLabel": "Virtual WAN ({Tab3Success:value}/{Tab3Total:value})",
                         "subTarget": "tab3",
-                        "preText": "Segmentation",
+                        "preText": "Virtual WAN",
                         "style": "primary"
                     },
                     {
-                        "id": "cbacb8f0-2307-4889-8e88-f860dee5c752",
+                        "id": "141abc68-1398-4eb4-8d68-fa7ae7c66cd0",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Firewall ({Tab4Success:value}/{Tab4Total:value})",
+                        "linkLabel": "Segmentation ({Tab4Success:value}/{Tab4Total:value})",
                         "subTarget": "tab4",
-                        "preText": "Firewall",
+                        "preText": "Segmentation",
                         "style": "primary"
                     },
                     {
-                        "id": "17595719-c7e9-4149-8697-393d3e7c6a67",
+                        "id": "a43053c5-e24c-4c22-ae80-322f4c81ca8b",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "PaaS ({Tab5Success:value}/{Tab5Total:value})",
+                        "linkLabel": "Firewall ({Tab5Success:value}/{Tab5Total:value})",
                         "subTarget": "tab5",
-                        "preText": "PaaS",
+                        "preText": "Firewall",
                         "style": "primary"
                     },
                     {
-                        "id": "90cab07e-8f99-4273-8071-ea3051a6f6fb",
+                        "id": "fbca1185-732d-42eb-b050-69a20d3d682b",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Virtual WAN ({Tab6Success:value}/{Tab6Total:value})",
+                        "linkLabel": "PaaS ({Tab6Success:value}/{Tab6Total:value})",
                         "subTarget": "tab6",
-                        "preText": "Virtual WAN",
+                        "preText": "PaaS",
                         "style": "primary"
                     },
                     {
-                        "id": "c7b29605-1052-459a-bb57-bac4532714ef",
+                        "id": "32dcf369-be2d-4956-a71a-815800fccac4",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Internet ({Tab7Success:value}/{Tab7Total:value})",
+                        "linkLabel": "IP plan ({Tab7Success:value}/{Tab7Total:value})",
                         "subTarget": "tab7",
-                        "preText": "Internet",
+                        "preText": "IP plan",
                         "style": "primary"
                     }
                 ]
@@ -1866,22 +1866,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## IP plan"
+                            "json": "## Hub and spoke"
                         },
                         "name": "tab1title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
+                            "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information."
                         },
-                        "name": "querytext4"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1930,20 +1930,20 @@
                                 ]
                             }
                         },
-                        "name": "query4"
+                        "name": "query0"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
+                            "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
                         },
-                        "name": "querytext5"
+                        "name": "querytext1"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1992,42 +1992,20 @@
                                 ]
                             }
                         },
-                        "name": "query5"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab1"
-            },
-            "name": "tab1"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Hub and spoke"
-                        },
-                        "name": "tab2title"
+                        "name": "query1"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information."
+                            "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
                         },
-                        "name": "querytext0"
+                        "name": "querytext2"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2076,20 +2054,20 @@
                                 ]
                             }
                         },
-                        "name": "query0"
+                        "name": "query2"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
+                            "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information."
                         },
-                        "name": "querytext1"
+                        "name": "querytext3"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2138,20 +2116,42 @@
                                 ]
                             }
                         },
-                        "name": "query1"
+                        "name": "query3"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab1"
+            },
+            "name": "tab1"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Internet"
+                        },
+                        "name": "tab2title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
+                            "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information."
                         },
-                        "name": "querytext2"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2200,20 +2200,42 @@
                                 ]
                             }
                         },
-                        "name": "query2"
+                        "name": "query6"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab2"
+            },
+            "name": "tab2"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Virtual WAN"
+                        },
+                        "name": "tab3title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information."
+                            "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext3"
+                        "name": "querytext24"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2262,16 +2284,16 @@
                                 ]
                             }
                         },
-                        "name": "query3"
+                        "name": "query24"
                     }
                 ]
             },
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab2"
+                "value": "tab3"
             },
-            "name": "tab2"
+            "name": "tab3"
         },
         {
             "type": 12,
@@ -2284,7 +2306,7 @@
                         "content": {
                             "json": "## Segmentation"
                         },
-                        "name": "tab3title"
+                        "name": "tab4title"
                     },
                     {
                         "type": 1,
@@ -2539,9 +2561,9 @@
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab3"
+                "value": "tab4"
             },
-            "name": "tab3"
+            "name": "tab4"
         },
         {
             "type": 12,
@@ -2554,7 +2576,7 @@
                         "content": {
                             "json": "## Firewall"
                         },
-                        "name": "tab4title"
+                        "name": "tab5title"
                     },
                     {
                         "type": 1,
@@ -2871,9 +2893,9 @@
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab4"
+                "value": "tab5"
             },
-            "name": "tab4"
+            "name": "tab5"
         },
         {
             "type": 12,
@@ -2886,7 +2908,7 @@
                         "content": {
                             "json": "## PaaS"
                         },
-                        "name": "tab5title"
+                        "name": "tab6title"
                     },
                     {
                         "type": 1,
@@ -2955,9 +2977,9 @@
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab5"
+                "value": "tab6"
             },
-            "name": "tab5"
+            "name": "tab6"
         },
         {
             "type": 12,
@@ -2968,22 +2990,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Virtual WAN"
+                            "json": "## IP plan"
                         },
-                        "name": "tab6title"
+                        "name": "tab7title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this."
+                            "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext24"
+                        "name": "querytext4"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -3032,42 +3054,20 @@
                                 ]
                             }
                         },
-                        "name": "query24"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab6"
-            },
-            "name": "tab6"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Internet"
-                        },
-                        "name": "tab7title"
+                        "name": "query4"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information."
+                            "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext6"
+                        "name": "querytext5"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -3116,7 +3116,7 @@
                                 ]
                             }
                         },
-                        "name": "query6"
+                        "name": "query5"
                     }
                 ]
             },
diff --git a/workbooks/alz_checklist.en_network_counters_template.json b/workbooks/alz_checklist.en_network_counters_template.json
index e9dca6b13..aadfbab78 100644
--- a/workbooks/alz_checklist.en_network_counters_template.json
+++ b/workbooks/alz_checklist.en_network_counters_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"crossComponentResources\": [\n                    \"value::all\"\n                ],\n                \"parameters\": [\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query12Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query12FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query13Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query13FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query14Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query14FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query15Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query15FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query16Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query16FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query17Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query17FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query18Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query18FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query19Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query19FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query20Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query20FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query21Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query21FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query22Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query22FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query23Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query23FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query24Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query24FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab3Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab3Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab3Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab4Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab4Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab4Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab5Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query20Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab5Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query20Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab5Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab6Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query24Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab6Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query24Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab6Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab7Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query6Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab7Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query6Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab7Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookTotal\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query20Stats:$.Total}+{Query24Stats:$.Total}+{Query6Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookSuccess\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query20Stats:$.Success}+{Query24Stats:$.Success}+{Query6Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookPercent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n                                }\n                            }\n                        ]\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 1,\n                \"resourceType\": \"microsoft.resourcegraph/resources\"\n            },\n            \"name\": \"InvisibleParameters\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 3,\n            \"content\": {\n                \"version\": \"KqlItem/1.0\",\n                \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                \"size\": 4,\n                \"queryType\": 8,\n                \"visualization\": \"tiles\",\n                \"tileSettings\": {\n                    \"titleContent\": {\n                        \"columnMatch\": \"WorkbookPercent\",\n                        \"formatter\": 4,\n                        \"formatOptions\": {\n                            \"min\": 0,\n                            \"max\": 100,\n                            \"palette\": \"redGreen\"\n                        }\n                    },\n                    \"subtitleContent\": {\n                        \"columnMatch\": \"SubTitle\",\n                        \"formatter\": 1\n                    },\n                    \"showBorder\": true\n                }\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"ProgressTile\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"987a70ea-a922-4df1-9bd9-d7ca2c8cf826\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hybrid ({Tab0Success:value}/{Tab0Total:value})\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Hybrid\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"0802a5dc-d49f-42da-854b-b12843fc171b\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"IP plan ({Tab1Success:value}/{Tab1Total:value})\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"IP plan\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"b7f9f236-b1f2-4f7d-ba82-098cd445f385\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hub and spoke ({Tab2Success:value}/{Tab2Total:value})\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Hub and spoke\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"0e47aaab-523b-4632-b2b1-043a83cb3d59\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Segmentation ({Tab3Success:value}/{Tab3Total:value})\",\n                        \"subTarget\": \"tab3\",\n                        \"preText\": \"Segmentation\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"cbacb8f0-2307-4889-8e88-f860dee5c752\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Firewall ({Tab4Success:value}/{Tab4Total:value})\",\n                        \"subTarget\": \"tab4\",\n                        \"preText\": \"Firewall\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"17595719-c7e9-4149-8697-393d3e7c6a67\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"PaaS ({Tab5Success:value}/{Tab5Total:value})\",\n                        \"subTarget\": \"tab5\",\n                        \"preText\": \"PaaS\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"90cab07e-8f99-4273-8071-ea3051a6f6fb\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Virtual WAN ({Tab6Success:value}/{Tab6Total:value})\",\n                        \"subTarget\": \"tab6\",\n                        \"preText\": \"Virtual WAN\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"c7b29605-1052-459a-bb57-bac4532714ef\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Internet ({Tab7Success:value}/{Tab7Total:value})\",\n                        \"subTarget\": \"tab7\",\n                        \"preText\": \"Internet\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hybrid\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext12\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query12\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n                        },\n                        \"name\": \"querytext13\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query13\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## IP plan\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hub and spoke\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Segmentation\"\n                        },\n                        \"name\": \"tab3title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n                        },\n                        \"name\": \"querytext19\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query19\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n                        },\n                        \"name\": \"querytext21\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query21\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n                        },\n                        \"name\": \"querytext22\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query22\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext23\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query23\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab3\"\n            },\n            \"name\": \"tab3\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Firewall\"\n                        },\n                        \"name\": \"tab4title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n                        },\n                        \"name\": \"querytext14\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query14\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n                        },\n                        \"name\": \"querytext15\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query15\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n                        },\n                        \"name\": \"querytext16\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query16\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n                        },\n                        \"name\": \"querytext17\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query17\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n                        },\n                        \"name\": \"querytext18\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query18\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab4\"\n            },\n            \"name\": \"tab4\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## PaaS\"\n                        },\n                        \"name\": \"tab5title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext20\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query20\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab5\"\n            },\n            \"name\": \"tab5\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Virtual WAN\"\n                        },\n                        \"name\": \"tab6title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext24\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query24\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab6\"\n            },\n            \"name\": \"tab6\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Internet\"\n                        },\n                        \"name\": \"tab7title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab7\"\n            },\n            \"name\": \"tab7\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"crossComponentResources\": [\n                    \"value::all\"\n                ],\n                \"parameters\": [\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query12Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query12FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query13Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query13FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query14Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query14FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query15Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query15FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query16Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query16FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query17Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query17FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query18Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query18FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query19Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query19FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query20Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query20FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query21Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query21FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query22Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query22FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query23Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query23FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query24Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query24FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query6Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query6Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab3Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query24Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab3Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query24Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab3Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab4Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab4Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab4Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab5Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab5Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab5Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab6Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query20Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab6Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query20Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab6Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab7Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab7Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab7Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookTotal\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query6Stats:$.Total}+{Query24Stats:$.Total}+{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}+{Query20Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookSuccess\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query6Stats:$.Success}+{Query24Stats:$.Success}+{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}+{Query20Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookPercent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n                                }\n                            }\n                        ]\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 1,\n                \"resourceType\": \"microsoft.resourcegraph/resources\"\n            },\n            \"name\": \"InvisibleParameters\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 3,\n            \"content\": {\n                \"version\": \"KqlItem/1.0\",\n                \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                \"size\": 4,\n                \"queryType\": 8,\n                \"visualization\": \"tiles\",\n                \"tileSettings\": {\n                    \"titleContent\": {\n                        \"columnMatch\": \"WorkbookPercent\",\n                        \"formatter\": 4,\n                        \"formatOptions\": {\n                            \"min\": 0,\n                            \"max\": 100,\n                            \"palette\": \"redGreen\"\n                        }\n                    },\n                    \"subtitleContent\": {\n                        \"columnMatch\": \"SubTitle\",\n                        \"formatter\": 1\n                    },\n                    \"showBorder\": true\n                }\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"ProgressTile\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"82abb386-cc34-4a70-a3a4-8af2e6d5a365\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hybrid ({Tab0Success:value}/{Tab0Total:value})\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Hybrid\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"b69cc8bc-ea9c-4383-8649-d625886b1846\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hub and spoke ({Tab1Success:value}/{Tab1Total:value})\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Hub and spoke\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"fd818add-44fc-4f5f-97eb-8de0f5ed2b3a\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Internet ({Tab2Success:value}/{Tab2Total:value})\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Internet\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"c535ea54-1453-4d8e-aced-b9ae60232c65\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Virtual WAN ({Tab3Success:value}/{Tab3Total:value})\",\n                        \"subTarget\": \"tab3\",\n                        \"preText\": \"Virtual WAN\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"141abc68-1398-4eb4-8d68-fa7ae7c66cd0\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Segmentation ({Tab4Success:value}/{Tab4Total:value})\",\n                        \"subTarget\": \"tab4\",\n                        \"preText\": \"Segmentation\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"a43053c5-e24c-4c22-ae80-322f4c81ca8b\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Firewall ({Tab5Success:value}/{Tab5Total:value})\",\n                        \"subTarget\": \"tab5\",\n                        \"preText\": \"Firewall\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"fbca1185-732d-42eb-b050-69a20d3d682b\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"PaaS ({Tab6Success:value}/{Tab6Total:value})\",\n                        \"subTarget\": \"tab6\",\n                        \"preText\": \"PaaS\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"32dcf369-be2d-4956-a71a-815800fccac4\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"IP plan ({Tab7Success:value}/{Tab7Total:value})\",\n                        \"subTarget\": \"tab7\",\n                        \"preText\": \"IP plan\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hybrid\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext12\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query12\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n                        },\n                        \"name\": \"querytext13\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query13\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hub and spoke\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Internet\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Virtual WAN\"\n                        },\n                        \"name\": \"tab3title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext24\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query24\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab3\"\n            },\n            \"name\": \"tab3\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Segmentation\"\n                        },\n                        \"name\": \"tab4title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n                        },\n                        \"name\": \"querytext19\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query19\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n                        },\n                        \"name\": \"querytext21\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query21\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n                        },\n                        \"name\": \"querytext22\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query22\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext23\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query23\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab4\"\n            },\n            \"name\": \"tab4\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Firewall\"\n                        },\n                        \"name\": \"tab5title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n                        },\n                        \"name\": \"querytext14\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query14\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n                        },\n                        \"name\": \"querytext15\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query15\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n                        },\n                        \"name\": \"querytext16\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query16\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n                        },\n                        \"name\": \"querytext17\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query17\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n                        },\n                        \"name\": \"querytext18\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query18\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab5\"\n            },\n            \"name\": \"tab5\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## PaaS\"\n                        },\n                        \"name\": \"tab6title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext20\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query20\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab6\"\n            },\n            \"name\": \"tab6\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## IP plan\"\n                        },\n                        \"name\": \"tab7title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab7\"\n            },\n            \"name\": \"tab7\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"
diff --git a/workbooks/alz_checklist.en_network_tabcounters.json b/workbooks/alz_checklist.en_network_tabcounters.json
index 332d6eb99..989c155d1 100644
--- a/workbooks/alz_checklist.en_network_tabcounters.json
+++ b/workbooks/alz_checklist.en_network_tabcounters.json
@@ -70,25 +70,25 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "023cfad0-ff26-4bbc-814c-de6b3342b29b",
+                        "id": "3600b117-8e49-4cd2-87fc-329949a352e0",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "PaaS",
+                        "linkLabel": "Internet",
                         "subTarget": "tab0",
-                        "preText": "PaaS",
+                        "preText": "Internet",
                         "style": "primary"
                     },
                     {
-                        "id": "b2bb6db9-65f1-4acf-af8c-c6fd109f9019",
+                        "id": "f95a8ff1-5539-4485-93ea-b8aad2147c08",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Internet",
+                        "linkLabel": "Hub and spoke",
                         "subTarget": "tab1",
-                        "preText": "Internet",
+                        "preText": "Hub and spoke",
                         "style": "primary"
                     },
                     {
-                        "id": "b483c77a-07bc-43ea-94b9-eca9dcc5d30f",
+                        "id": "c45ef78d-f2df-4d2c-a70a-52c19f69b302",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
                         "linkLabel": "IP plan",
@@ -97,25 +97,25 @@
                         "style": "primary"
                     },
                     {
-                        "id": "fc3ed446-f54f-44a1-a259-2b390e94df81",
+                        "id": "375f78b5-0e31-490b-8893-1d46fd2e386c",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Virtual WAN",
+                        "linkLabel": "PaaS",
                         "subTarget": "tab3",
-                        "preText": "Virtual WAN",
+                        "preText": "PaaS",
                         "style": "primary"
                     },
                     {
-                        "id": "42664010-5d14-44e5-aaf7-b6dfc84b603d",
+                        "id": "89dd4c79-11c6-4023-927f-329603efe764",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Segmentation",
+                        "linkLabel": "Hybrid",
                         "subTarget": "tab4",
-                        "preText": "Segmentation",
+                        "preText": "Hybrid",
                         "style": "primary"
                     },
                     {
-                        "id": "dc5a4f18-2f6b-46dc-9570-9dc5691c716e",
+                        "id": "891a964b-e44e-4c93-b842-2b8865b9a8f0",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
                         "linkLabel": "Firewall",
@@ -124,21 +124,21 @@
                         "style": "primary"
                     },
                     {
-                        "id": "af1a7fcb-8cf8-45f0-a686-20cb625c9e02",
+                        "id": "1566c26f-0fc8-44c1-b9ae-ca590a7f1f5f",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Hybrid",
+                        "linkLabel": "Segmentation",
                         "subTarget": "tab6",
-                        "preText": "Hybrid",
+                        "preText": "Segmentation",
                         "style": "primary"
                     },
                     {
-                        "id": "f05c5867-9bdf-4c27-aae8-2b1be0e395c4",
+                        "id": "90e80d3f-c9f5-429f-8985-6234e5a7a479",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Hub and spoke",
+                        "linkLabel": "Virtual WAN",
                         "subTarget": "tab7",
-                        "preText": "Hub and spoke",
+                        "preText": "Virtual WAN",
                         "style": "primary"
                     }
                 ]
@@ -162,9 +162,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query20Stats",
+                                    "name": "Query6Stats",
                                     "type": 1,
-                                    "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -178,9 +178,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query20FullyCompliant",
+                                    "name": "Query6FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query20Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query6Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -201,7 +201,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query20Stats:$.Success}"
+                                                "resultVal": "{Query6Stats:$.Success}"
                                             }
                                         }
                                     ]
@@ -220,7 +220,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query20Stats:$.Total}"
+                                                "resultVal": "{Query6Stats:$.Total}"
                                             }
                                         }
                                     ]
@@ -254,7 +254,7 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## PaaS"
+                            "json": "## Internet"
                         },
                         "customWidth": "50",
                         "name": "tab0title"
@@ -295,15 +295,15 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this."
+                            "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information."
                         },
-                        "name": "querytext20"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -352,7 +352,7 @@
                                 ]
                             }
                         },
-                        "name": "query20"
+                        "name": "query6"
                     }
                 ]
             },
@@ -380,9 +380,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query6Stats",
+                                    "name": "Query0Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -396,9 +396,93 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query6FullyCompliant",
+                                    "name": "Query0FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query6Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query0Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query1Stats",
+                                    "type": 1,
+                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query1FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query1Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query2Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query2FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query2Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query3Stats",
+                                    "type": 1,
+                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query3FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query3Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -419,7 +503,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query6Stats:$.Success}"
+                                                "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}"
                                             }
                                         }
                                     ]
@@ -438,7 +522,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query6Stats:$.Total}"
+                                                "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}"
                                             }
                                         }
                                     ]
@@ -472,7 +556,7 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Internet"
+                            "json": "## Hub and spoke"
                         },
                         "customWidth": "50",
                         "name": "tab1title"
@@ -513,15 +597,15 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information."
+                            "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information."
                         },
-                        "name": "querytext6"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -570,92 +654,278 @@
                                 ]
                             }
                         },
-                        "name": "query6"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab1"
-            },
-            "name": "tab1"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
+                        "name": "query0"
+                    },
                     {
-                        "type": 9,
+                        "type": 1,
                         "content": {
-                            "version": "KqlParameterItem/1.0",
+                            "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
+                        },
+                        "name": "querytext1"
+                    },
+                    {
+                        "type": 3,
+                        "content": {
+                            "version": "KqlItem/1.0",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "size": 4,
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources",
                             "crossComponentResources": [
                                 "{Subscription}"
                             ],
-                            "parameters": [
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query4Stats",
-                                    "type": 1,
-                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)')  | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query4FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query4Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query5Stats",
-                                    "type": 1,
-                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query5FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query5Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
+                            "gridSettings": {
+                                "formatters": [
+                                    {
+                                        "columnMatch": "id",
+                                        "formatter": 0,
+                                        "numberFormat": {
+                                            "unit": 0,
+                                            "options": {
+                                                "style": "decimal"
+                                            }
+                                        }
                                     },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Tab2Success",
-                                    "type": 1,
+                                    {
+                                        "columnMatch": "compliant",
+                                        "formatter": 18,
+                                        "formatOptions": {
+                                            "thresholdsOptions": "icons",
+                                            "thresholdsGrid": [
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "1",
+                                                    "representation": "success",
+                                                    "text": "Success"
+                                                },
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "0",
+                                                    "representation": "failed",
+                                                    "text": "Failed"
+                                                },
+                                                {
+                                                    "operator": "Default",
+                                                    "thresholdValue": null,
+                                                    "representation": "unknown",
+                                                    "text": "Unknown"
+                                                }
+                                            ]
+                                        }
+                                    }
+                                ]
+                            }
+                        },
+                        "name": "query1"
+                    },
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
+                        },
+                        "name": "querytext2"
+                    },
+                    {
+                        "type": 3,
+                        "content": {
+                            "version": "KqlItem/1.0",
+                            "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "size": 4,
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "gridSettings": {
+                                "formatters": [
+                                    {
+                                        "columnMatch": "id",
+                                        "formatter": 0,
+                                        "numberFormat": {
+                                            "unit": 0,
+                                            "options": {
+                                                "style": "decimal"
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "columnMatch": "compliant",
+                                        "formatter": 18,
+                                        "formatOptions": {
+                                            "thresholdsOptions": "icons",
+                                            "thresholdsGrid": [
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "1",
+                                                    "representation": "success",
+                                                    "text": "Success"
+                                                },
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "0",
+                                                    "representation": "failed",
+                                                    "text": "Failed"
+                                                },
+                                                {
+                                                    "operator": "Default",
+                                                    "thresholdValue": null,
+                                                    "representation": "unknown",
+                                                    "text": "Unknown"
+                                                }
+                                            ]
+                                        }
+                                    }
+                                ]
+                            }
+                        },
+                        "name": "query2"
+                    },
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information."
+                        },
+                        "name": "querytext3"
+                    },
+                    {
+                        "type": 3,
+                        "content": {
+                            "version": "KqlItem/1.0",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "size": 4,
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "gridSettings": {
+                                "formatters": [
+                                    {
+                                        "columnMatch": "id",
+                                        "formatter": 0,
+                                        "numberFormat": {
+                                            "unit": 0,
+                                            "options": {
+                                                "style": "decimal"
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "columnMatch": "compliant",
+                                        "formatter": 18,
+                                        "formatOptions": {
+                                            "thresholdsOptions": "icons",
+                                            "thresholdsGrid": [
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "1",
+                                                    "representation": "success",
+                                                    "text": "Success"
+                                                },
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "0",
+                                                    "representation": "failed",
+                                                    "text": "Failed"
+                                                },
+                                                {
+                                                    "operator": "Default",
+                                                    "thresholdValue": null,
+                                                    "representation": "unknown",
+                                                    "text": "Unknown"
+                                                }
+                                            ]
+                                        }
+                                    }
+                                ]
+                            }
+                        },
+                        "name": "query3"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab1"
+            },
+            "name": "tab1"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 9,
+                        "content": {
+                            "version": "KqlParameterItem/1.0",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "parameters": [
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query4Stats",
+                                    "type": 1,
+                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)')  | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query4FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query4Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query5Stats",
+                                    "type": 1,
+                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query5FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query5Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Tab2Success",
+                                    "type": 1,
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -906,9 +1176,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query24Stats",
+                                    "name": "Query20Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -922,9 +1192,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query24FullyCompliant",
+                                    "name": "Query20FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query24Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query20Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -945,7 +1215,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query24Stats:$.Success}"
+                                                "resultVal": "{Query20Stats:$.Success}"
                                             }
                                         }
                                     ]
@@ -964,7 +1234,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query24Stats:$.Total}"
+                                                "resultVal": "{Query20Stats:$.Total}"
                                             }
                                         }
                                     ]
@@ -998,7 +1268,7 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Virtual WAN"
+                            "json": "## PaaS"
                         },
                         "customWidth": "50",
                         "name": "tab3title"
@@ -1039,15 +1309,15 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this."
+                            "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this."
                         },
-                        "name": "querytext24"
+                        "name": "querytext20"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1096,7 +1366,7 @@
                                 ]
                             }
                         },
-                        "name": "query24"
+                        "name": "query20"
                     }
                 ]
             },
@@ -1124,9 +1394,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query19Stats",
+                                    "name": "Query7Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -1140,9 +1410,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query19FullyCompliant",
+                                    "name": "Query7FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query19Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query7Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -1152,9 +1422,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query21Stats",
+                                    "name": "Query8Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -1168,9 +1438,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query21FullyCompliant",
+                                    "name": "Query8FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query21Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -1180,9 +1450,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query22Stats",
+                                    "name": "Query9Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -1196,9 +1466,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query22FullyCompliant",
+                                    "name": "Query9FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query9Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -1208,9 +1478,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query23Stats",
+                                    "name": "Query10Stats",
                                     "type": 1,
-                                    "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -1224,9 +1494,93 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query23FullyCompliant",
+                                    "name": "Query10FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query23Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query10Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query11Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query11FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query11Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query12Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query12FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query13Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query13FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -1247,7 +1601,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}"
+                                                "resultVal": "{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}"
                                             }
                                         }
                                     ]
@@ -1266,7 +1620,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}"
+                                                "resultVal": "{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}"
                                             }
                                         }
                                     ]
@@ -1300,7 +1654,7 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Segmentation"
+                            "json": "## Hybrid"
                         },
                         "customWidth": "50",
                         "name": "tab4title"
@@ -1341,15 +1695,15 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information."
+                            "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
                         },
-                        "name": "querytext19"
+                        "name": "querytext7"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1398,20 +1752,20 @@
                                 ]
                             }
                         },
-                        "name": "query19"
+                        "name": "query7"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information."
+                            "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information."
                         },
-                        "name": "querytext21"
+                        "name": "querytext8"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1460,20 +1814,20 @@
                                 ]
                             }
                         },
-                        "name": "query21"
+                        "name": "query8"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information."
+                            "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information."
                         },
-                        "name": "querytext22"
+                        "name": "querytext9"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1522,20 +1876,20 @@
                                 ]
                             }
                         },
-                        "name": "query22"
+                        "name": "query9"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this."
+                            "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
                         },
-                        "name": "querytext23"
+                        "name": "querytext10"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1584,84 +1938,270 @@
                                 ]
                             }
                         },
-                        "name": "query23"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab4"
-            },
-            "name": "tab4"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
+                        "name": "query10"
+                    },
                     {
-                        "type": 9,
+                        "type": 1,
                         "content": {
-                            "version": "KqlParameterItem/1.0",
+                            "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this."
+                        },
+                        "name": "querytext11"
+                    },
+                    {
+                        "type": 3,
+                        "content": {
+                            "version": "KqlItem/1.0",
+                            "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "size": 4,
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources",
                             "crossComponentResources": [
                                 "{Subscription}"
                             ],
-                            "parameters": [
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query14Stats",
-                                    "type": 1,
-                                    "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query14FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query15Stats",
-                                    "type": 1,
-                                    "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
+                            "gridSettings": {
+                                "formatters": [
+                                    {
+                                        "columnMatch": "id",
+                                        "formatter": 0,
+                                        "numberFormat": {
+                                            "unit": 0,
+                                            "options": {
+                                                "style": "decimal"
+                                            }
+                                        }
                                     },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query15FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
+                                    {
+                                        "columnMatch": "compliant",
+                                        "formatter": 18,
+                                        "formatOptions": {
+                                            "thresholdsOptions": "icons",
+                                            "thresholdsGrid": [
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "1",
+                                                    "representation": "success",
+                                                    "text": "Success"
+                                                },
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "0",
+                                                    "representation": "failed",
+                                                    "text": "Failed"
+                                                },
+                                                {
+                                                    "operator": "Default",
+                                                    "thresholdValue": null,
+                                                    "representation": "unknown",
+                                                    "text": "Unknown"
+                                                }
+                                            ]
+                                        }
+                                    }
+                                ]
+                            }
+                        },
+                        "name": "query11"
+                    },
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
+                        },
+                        "name": "querytext12"
+                    },
+                    {
+                        "type": 3,
+                        "content": {
+                            "version": "KqlItem/1.0",
+                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "size": 4,
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "gridSettings": {
+                                "formatters": [
+                                    {
+                                        "columnMatch": "id",
+                                        "formatter": 0,
+                                        "numberFormat": {
+                                            "unit": 0,
+                                            "options": {
+                                                "style": "decimal"
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "columnMatch": "compliant",
+                                        "formatter": 18,
+                                        "formatOptions": {
+                                            "thresholdsOptions": "icons",
+                                            "thresholdsGrid": [
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "1",
+                                                    "representation": "success",
+                                                    "text": "Success"
+                                                },
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "0",
+                                                    "representation": "failed",
+                                                    "text": "Failed"
+                                                },
+                                                {
+                                                    "operator": "Default",
+                                                    "thresholdValue": null,
+                                                    "representation": "unknown",
+                                                    "text": "Unknown"
+                                                }
+                                            ]
+                                        }
+                                    }
+                                ]
+                            }
+                        },
+                        "name": "query12"
+                    },
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information."
+                        },
+                        "name": "querytext13"
+                    },
+                    {
+                        "type": 3,
+                        "content": {
+                            "version": "KqlItem/1.0",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "size": 4,
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "gridSettings": {
+                                "formatters": [
+                                    {
+                                        "columnMatch": "id",
+                                        "formatter": 0,
+                                        "numberFormat": {
+                                            "unit": 0,
+                                            "options": {
+                                                "style": "decimal"
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "columnMatch": "compliant",
+                                        "formatter": 18,
+                                        "formatOptions": {
+                                            "thresholdsOptions": "icons",
+                                            "thresholdsGrid": [
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "1",
+                                                    "representation": "success",
+                                                    "text": "Success"
+                                                },
+                                                {
+                                                    "operator": "==",
+                                                    "thresholdValue": "0",
+                                                    "representation": "failed",
+                                                    "text": "Failed"
+                                                },
+                                                {
+                                                    "operator": "Default",
+                                                    "thresholdValue": null,
+                                                    "representation": "unknown",
+                                                    "text": "Unknown"
+                                                }
+                                            ]
+                                        }
+                                    }
+                                ]
+                            }
+                        },
+                        "name": "query13"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab4"
+            },
+            "name": "tab4"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 9,
+                        "content": {
+                            "version": "KqlParameterItem/1.0",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "parameters": [
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query14Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query14FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query15Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query15FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
                                     },
                                     "queryType": 8
                                 },
@@ -2190,9 +2730,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query7Stats",
+                                    "name": "Query19Stats",
                                     "type": 1,
-                                    "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -2206,9 +2746,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query7FullyCompliant",
+                                    "name": "Query19FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query7Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query19Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -2218,9 +2758,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query8Stats",
+                                    "name": "Query21Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -2234,9 +2774,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query8FullyCompliant",
+                                    "name": "Query21FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query21Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -2246,9 +2786,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query9Stats",
+                                    "name": "Query22Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -2262,9 +2802,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query9FullyCompliant",
+                                    "name": "Query22FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query9Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -2274,93 +2814,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query10Stats",
-                                    "type": 1,
-                                    "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query10FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query10Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query11Stats",
-                                    "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query11FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query11Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query12Stats",
-                                    "type": 1,
-                                    "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query12FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query13Stats",
+                                    "name": "Query23Stats",
                                     "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
                                     "crossComponentResources": [
                                         "{Subscription}"
                                     ],
@@ -2374,9 +2830,9 @@
                                 {
                                     "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
                                     "version": "KqlParameterItem/1.0",
-                                    "name": "Query13FullyCompliant",
+                                    "name": "Query23FullyCompliant",
                                     "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query23Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
                                     "isHiddenWhenLocked": true,
                                     "timeContext": {
                                         "durationMs": 86400000
@@ -2397,7 +2853,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}"
+                                                "resultVal": "{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}"
                                             }
                                         }
                                     ]
@@ -2416,7 +2872,7 @@
                                             "criteriaContext": {
                                                 "operator": "Default",
                                                 "resultValType": "expression",
-                                                "resultVal": "{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}"
+                                                "resultVal": "{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}"
                                             }
                                         }
                                     ]
@@ -2450,7 +2906,7 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Hybrid"
+                            "json": "## Segmentation"
                         },
                         "customWidth": "50",
                         "name": "tab6title"
@@ -2491,15 +2947,15 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
+                            "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information."
                         },
-                        "name": "querytext7"
+                        "name": "querytext19"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2548,20 +3004,20 @@
                                 ]
                             }
                         },
-                        "name": "query7"
+                        "name": "query19"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information."
+                            "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information."
                         },
-                        "name": "querytext8"
+                        "name": "querytext21"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2610,20 +3066,20 @@
                                 ]
                             }
                         },
-                        "name": "query8"
+                        "name": "query21"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information."
+                            "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information."
                         },
-                        "name": "querytext9"
+                        "name": "querytext22"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2672,20 +3128,20 @@
                                 ]
                             }
                         },
-                        "name": "query9"
+                        "name": "query22"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
+                            "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this."
                         },
-                        "name": "querytext10"
+                        "name": "querytext23"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -2734,400 +3190,130 @@
                                 ]
                             }
                         },
-                        "name": "query10"
+                        "name": "query23"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab6"
+            },
+            "name": "tab6"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 9,
+                        "content": {
+                            "version": "KqlParameterItem/1.0",
+                            "crossComponentResources": [
+                                "{Subscription}"
+                            ],
+                            "parameters": [
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query24Stats",
+                                    "type": 1,
+                                    "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
+                                    "crossComponentResources": [
+                                        "{Subscription}"
+                                    ],
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 1,
+                                    "resourceType": "microsoft.resourcegraph/resources"
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Query24FullyCompliant",
+                                    "type": 1,
+                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query24Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "queryType": 8
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Tab7Success",
+                                    "type": 1,
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "criteriaData": [
+                                        {
+                                            "criteriaContext": {
+                                                "operator": "Default",
+                                                "resultValType": "expression",
+                                                "resultVal": "{Query24Stats:$.Success}"
+                                            }
+                                        }
+                                    ]
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Tab7Total",
+                                    "type": 1,
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "criteriaData": [
+                                        {
+                                            "criteriaContext": {
+                                                "operator": "Default",
+                                                "resultValType": "expression",
+                                                "resultVal": "{Query24Stats:$.Total}"
+                                            }
+                                        }
+                                    ]
+                                },
+                                {
+                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
+                                    "version": "KqlParameterItem/1.0",
+                                    "name": "Tab7Percent",
+                                    "type": 1,
+                                    "isHiddenWhenLocked": true,
+                                    "timeContext": {
+                                        "durationMs": 86400000
+                                    },
+                                    "criteriaData": [
+                                        {
+                                            "criteriaContext": {
+                                                "operator": "Default",
+                                                "resultValType": "expression",
+                                                "resultVal": "round(100*{Tab7Success}/{Tab7Total})"
+                                            }
+                                        }
+                                    ]
+                                }
+                            ],
+                            "style": "pills",
+                            "queryType": 1,
+                            "resourceType": "microsoft.resourcegraph/resources"
+                        },
+                        "name": "TabInvisibleParameters"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this."
+                            "json": "## Virtual WAN"
                         },
-                        "name": "querytext11"
-                    },
-                    {
-                        "type": 3,
-                        "content": {
-                            "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
-                            "size": 4,
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "gridSettings": {
-                                "formatters": [
-                                    {
-                                        "columnMatch": "id",
-                                        "formatter": 0,
-                                        "numberFormat": {
-                                            "unit": 0,
-                                            "options": {
-                                                "style": "decimal"
-                                            }
-                                        }
-                                    },
-                                    {
-                                        "columnMatch": "compliant",
-                                        "formatter": 18,
-                                        "formatOptions": {
-                                            "thresholdsOptions": "icons",
-                                            "thresholdsGrid": [
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "1",
-                                                    "representation": "success",
-                                                    "text": "Success"
-                                                },
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "0",
-                                                    "representation": "failed",
-                                                    "text": "Failed"
-                                                },
-                                                {
-                                                    "operator": "Default",
-                                                    "thresholdValue": null,
-                                                    "representation": "unknown",
-                                                    "text": "Unknown"
-                                                }
-                                            ]
-                                        }
-                                    }
-                                ]
-                            }
-                        },
-                        "name": "query11"
-                    },
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
-                        },
-                        "name": "querytext12"
-                    },
-                    {
-                        "type": 3,
-                        "content": {
-                            "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
-                            "size": 4,
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "gridSettings": {
-                                "formatters": [
-                                    {
-                                        "columnMatch": "id",
-                                        "formatter": 0,
-                                        "numberFormat": {
-                                            "unit": 0,
-                                            "options": {
-                                                "style": "decimal"
-                                            }
-                                        }
-                                    },
-                                    {
-                                        "columnMatch": "compliant",
-                                        "formatter": 18,
-                                        "formatOptions": {
-                                            "thresholdsOptions": "icons",
-                                            "thresholdsGrid": [
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "1",
-                                                    "representation": "success",
-                                                    "text": "Success"
-                                                },
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "0",
-                                                    "representation": "failed",
-                                                    "text": "Failed"
-                                                },
-                                                {
-                                                    "operator": "Default",
-                                                    "thresholdValue": null,
-                                                    "representation": "unknown",
-                                                    "text": "Unknown"
-                                                }
-                                            ]
-                                        }
-                                    }
-                                ]
-                            }
-                        },
-                        "name": "query12"
-                    },
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information."
-                        },
-                        "name": "querytext13"
-                    },
-                    {
-                        "type": 3,
-                        "content": {
-                            "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
-                            "size": 4,
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "gridSettings": {
-                                "formatters": [
-                                    {
-                                        "columnMatch": "id",
-                                        "formatter": 0,
-                                        "numberFormat": {
-                                            "unit": 0,
-                                            "options": {
-                                                "style": "decimal"
-                                            }
-                                        }
-                                    },
-                                    {
-                                        "columnMatch": "compliant",
-                                        "formatter": 18,
-                                        "formatOptions": {
-                                            "thresholdsOptions": "icons",
-                                            "thresholdsGrid": [
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "1",
-                                                    "representation": "success",
-                                                    "text": "Success"
-                                                },
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "0",
-                                                    "representation": "failed",
-                                                    "text": "Failed"
-                                                },
-                                                {
-                                                    "operator": "Default",
-                                                    "thresholdValue": null,
-                                                    "representation": "unknown",
-                                                    "text": "Unknown"
-                                                }
-                                            ]
-                                        }
-                                    }
-                                ]
-                            }
-                        },
-                        "name": "query13"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab6"
-            },
-            "name": "tab6"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 9,
-                        "content": {
-                            "version": "KqlParameterItem/1.0",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "parameters": [
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query0Stats",
-                                    "type": 1,
-                                    "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query0FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query0Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query1Stats",
-                                    "type": 1,
-                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query1FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query1Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query2Stats",
-                                    "type": 1,
-                                    "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query2FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query2Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query3Stats",
-                                    "type": 1,
-                                    "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())",
-                                    "crossComponentResources": [
-                                        "{Subscription}"
-                                    ],
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 1,
-                                    "resourceType": "microsoft.resourcegraph/resources"
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Query3FullyCompliant",
-                                    "type": 1,
-                                    "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query3Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}",
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "queryType": 8
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Tab7Success",
-                                    "type": 1,
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "criteriaData": [
-                                        {
-                                            "criteriaContext": {
-                                                "operator": "Default",
-                                                "resultValType": "expression",
-                                                "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}"
-                                            }
-                                        }
-                                    ]
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Tab7Total",
-                                    "type": 1,
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "criteriaData": [
-                                        {
-                                            "criteriaContext": {
-                                                "operator": "Default",
-                                                "resultValType": "expression",
-                                                "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}"
-                                            }
-                                        }
-                                    ]
-                                },
-                                {
-                                    "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb",
-                                    "version": "KqlParameterItem/1.0",
-                                    "name": "Tab7Percent",
-                                    "type": 1,
-                                    "isHiddenWhenLocked": true,
-                                    "timeContext": {
-                                        "durationMs": 86400000
-                                    },
-                                    "criteriaData": [
-                                        {
-                                            "criteriaContext": {
-                                                "operator": "Default",
-                                                "resultValType": "expression",
-                                                "resultVal": "round(100*{Tab7Success}/{Tab7Total})"
-                                            }
-                                        }
-                                    ]
-                                }
-                            ],
-                            "style": "pills",
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources"
-                        },
-                        "name": "TabInvisibleParameters"
-                    },
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Hub and spoke"
-                        },
-                        "customWidth": "50",
-                        "name": "tab7title"
+                        "customWidth": "50",
+                        "name": "tab7title"
                     },
                     {
                         "type": 3,
@@ -3165,201 +3351,15 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information."
-                        },
-                        "name": "querytext0"
-                    },
-                    {
-                        "type": 3,
-                        "content": {
-                            "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
-                            "size": 4,
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "gridSettings": {
-                                "formatters": [
-                                    {
-                                        "columnMatch": "id",
-                                        "formatter": 0,
-                                        "numberFormat": {
-                                            "unit": 0,
-                                            "options": {
-                                                "style": "decimal"
-                                            }
-                                        }
-                                    },
-                                    {
-                                        "columnMatch": "compliant",
-                                        "formatter": 18,
-                                        "formatOptions": {
-                                            "thresholdsOptions": "icons",
-                                            "thresholdsGrid": [
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "1",
-                                                    "representation": "success",
-                                                    "text": "Success"
-                                                },
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "0",
-                                                    "representation": "failed",
-                                                    "text": "Failed"
-                                                },
-                                                {
-                                                    "operator": "Default",
-                                                    "thresholdValue": null,
-                                                    "representation": "unknown",
-                                                    "text": "Unknown"
-                                                }
-                                            ]
-                                        }
-                                    }
-                                ]
-                            }
-                        },
-                        "name": "query0"
-                    },
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
-                        },
-                        "name": "querytext1"
-                    },
-                    {
-                        "type": 3,
-                        "content": {
-                            "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
-                            "size": 4,
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "gridSettings": {
-                                "formatters": [
-                                    {
-                                        "columnMatch": "id",
-                                        "formatter": 0,
-                                        "numberFormat": {
-                                            "unit": 0,
-                                            "options": {
-                                                "style": "decimal"
-                                            }
-                                        }
-                                    },
-                                    {
-                                        "columnMatch": "compliant",
-                                        "formatter": 18,
-                                        "formatOptions": {
-                                            "thresholdsOptions": "icons",
-                                            "thresholdsGrid": [
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "1",
-                                                    "representation": "success",
-                                                    "text": "Success"
-                                                },
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "0",
-                                                    "representation": "failed",
-                                                    "text": "Failed"
-                                                },
-                                                {
-                                                    "operator": "Default",
-                                                    "thresholdValue": null,
-                                                    "representation": "unknown",
-                                                    "text": "Unknown"
-                                                }
-                                            ]
-                                        }
-                                    }
-                                ]
-                            }
-                        },
-                        "name": "query1"
-                    },
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
-                        },
-                        "name": "querytext2"
-                    },
-                    {
-                        "type": 3,
-                        "content": {
-                            "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
-                            "size": 4,
-                            "queryType": 1,
-                            "resourceType": "microsoft.resourcegraph/resources",
-                            "crossComponentResources": [
-                                "{Subscription}"
-                            ],
-                            "gridSettings": {
-                                "formatters": [
-                                    {
-                                        "columnMatch": "id",
-                                        "formatter": 0,
-                                        "numberFormat": {
-                                            "unit": 0,
-                                            "options": {
-                                                "style": "decimal"
-                                            }
-                                        }
-                                    },
-                                    {
-                                        "columnMatch": "compliant",
-                                        "formatter": 18,
-                                        "formatOptions": {
-                                            "thresholdsOptions": "icons",
-                                            "thresholdsGrid": [
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "1",
-                                                    "representation": "success",
-                                                    "text": "Success"
-                                                },
-                                                {
-                                                    "operator": "==",
-                                                    "thresholdValue": "0",
-                                                    "representation": "failed",
-                                                    "text": "Failed"
-                                                },
-                                                {
-                                                    "operator": "Default",
-                                                    "thresholdValue": null,
-                                                    "representation": "unknown",
-                                                    "text": "Unknown"
-                                                }
-                                            ]
-                                        }
-                                    }
-                                ]
-                            }
-                        },
-                        "name": "query2"
-                    },
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information."
+                            "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext3"
+                        "name": "querytext24"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -3408,7 +3408,7 @@
                                 ]
                             }
                         },
-                        "name": "query3"
+                        "name": "query24"
                     }
                 ]
             },
diff --git a/workbooks/alz_checklist.en_network_tabcounters_template.json b/workbooks/alz_checklist.en_network_tabcounters_template.json
index 007fbf136..46b02141f 100644
--- a/workbooks/alz_checklist.en_network_tabcounters_template.json
+++ b/workbooks/alz_checklist.en_network_tabcounters_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"023cfad0-ff26-4bbc-814c-de6b3342b29b\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"PaaS\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"PaaS\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"b2bb6db9-65f1-4acf-af8c-c6fd109f9019\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Internet\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Internet\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"b483c77a-07bc-43ea-94b9-eca9dcc5d30f\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"IP plan\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"IP plan\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"fc3ed446-f54f-44a1-a259-2b390e94df81\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Virtual WAN\",\n                        \"subTarget\": \"tab3\",\n                        \"preText\": \"Virtual WAN\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"42664010-5d14-44e5-aaf7-b6dfc84b603d\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Segmentation\",\n                        \"subTarget\": \"tab4\",\n                        \"preText\": \"Segmentation\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"dc5a4f18-2f6b-46dc-9570-9dc5691c716e\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Firewall\",\n                        \"subTarget\": \"tab5\",\n                        \"preText\": \"Firewall\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"af1a7fcb-8cf8-45f0-a686-20cb625c9e02\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hybrid\",\n                        \"subTarget\": \"tab6\",\n                        \"preText\": \"Hybrid\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"f05c5867-9bdf-4c27-aae8-2b1be0e395c4\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hub and spoke\",\n                        \"subTarget\": \"tab7\",\n                        \"preText\": \"Hub and spoke\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query20Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query20FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab0Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query20Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab0Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query20Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab0Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## PaaS\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext20\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query20\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query6Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query6FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab1Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query6Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab1Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query6Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab1Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Internet\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query4Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query4FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query5Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query5FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab2Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab2Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab2Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## IP plan\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query24Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query24FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab3Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query24Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab3Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query24Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab3Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Virtual WAN\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab3title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext24\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query24\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab3\"\n            },\n            \"name\": \"tab3\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query19Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query19FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query21Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query21FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query22Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query22FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query23Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query23FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab4Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab4Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab4Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Segmentation\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab4title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n                        },\n                        \"name\": \"querytext19\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query19\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n                        },\n                        \"name\": \"querytext21\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query21\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n                        },\n                        \"name\": \"querytext22\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query22\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext23\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query23\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab4\"\n            },\n            \"name\": \"tab4\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query14Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query14FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query15Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query15FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query16Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query16FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query17Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query17FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query18Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query18FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab5Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab5Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab5Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Firewall\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab5title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n                        },\n                        \"name\": \"querytext14\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query14\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n                        },\n                        \"name\": \"querytext15\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query15\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n                        },\n                        \"name\": \"querytext16\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query16\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n                        },\n                        \"name\": \"querytext17\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query17\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n                        },\n                        \"name\": \"querytext18\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query18\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab5\"\n            },\n            \"name\": \"tab5\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query7Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query7FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query8Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query8FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query9Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query9FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query10Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query10FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query11Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query11FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query12Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query12FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query13Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query13FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab6Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab6Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab6Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hybrid\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab6title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext12\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query12\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n                        },\n                        \"name\": \"querytext13\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query13\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab6\"\n            },\n            \"name\": \"tab6\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query0Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query0FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query1Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query1FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query2Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query2FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query3Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query3FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab7Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab7Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab7Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hub and spoke\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab7title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab7Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab7\"\n            },\n            \"name\": \"tab7\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"3600b117-8e49-4cd2-87fc-329949a352e0\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Internet\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Internet\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"f95a8ff1-5539-4485-93ea-b8aad2147c08\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hub and spoke\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Hub and spoke\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"c45ef78d-f2df-4d2c-a70a-52c19f69b302\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"IP plan\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"IP plan\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"375f78b5-0e31-490b-8893-1d46fd2e386c\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"PaaS\",\n                        \"subTarget\": \"tab3\",\n                        \"preText\": \"PaaS\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"89dd4c79-11c6-4023-927f-329603efe764\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hybrid\",\n                        \"subTarget\": \"tab4\",\n                        \"preText\": \"Hybrid\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"891a964b-e44e-4c93-b842-2b8865b9a8f0\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Firewall\",\n                        \"subTarget\": \"tab5\",\n                        \"preText\": \"Firewall\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"1566c26f-0fc8-44c1-b9ae-ca590a7f1f5f\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Segmentation\",\n                        \"subTarget\": \"tab6\",\n                        \"preText\": \"Segmentation\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"90e80d3f-c9f5-429f-8985-6234e5a7a479\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Virtual WAN\",\n                        \"subTarget\": \"tab7\",\n                        \"preText\": \"Virtual WAN\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query6Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query6FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab0Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query6Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab0Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query6Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab0Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Internet\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query0Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query0FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query1Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query1FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query2Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query2FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query3Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query3FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab1Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab1Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab1Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hub and spoke\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query4Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query4FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query5Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query5FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab2Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab2Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab2Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## IP plan\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query20Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query20FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab3Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query20Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab3Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query20Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab3Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## PaaS\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab3title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext20\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query20\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab3\"\n            },\n            \"name\": \"tab3\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query7Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query7FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query8Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query8FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query9Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query9FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query10Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query10FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query11Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query11FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query12Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query12FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query13Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query13FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab4Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab4Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab4Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hybrid\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab4title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext12\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query12\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n                        },\n                        \"name\": \"querytext13\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query13\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab4\"\n            },\n            \"name\": \"tab4\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query14Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query14FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query15Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query15FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query16Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query16FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query17Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query17FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query18Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query18FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab5Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query18Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab5Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query18Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab5Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Firewall\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab5title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n                        },\n                        \"name\": \"querytext14\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query14\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n                        },\n                        \"name\": \"querytext15\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query15\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n                        },\n                        \"name\": \"querytext16\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query16\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n                        },\n                        \"name\": \"querytext17\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query17\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n                        },\n                        \"name\": \"querytext18\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query18\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab5\"\n            },\n            \"name\": \"tab5\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query19Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query19FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query21Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query21FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query22Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query22FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query23Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query23FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab6Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query19Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab6Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query19Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab6Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Segmentation\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab6title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n                        },\n                        \"name\": \"querytext19\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query19\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n                        },\n                        \"name\": \"querytext21\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query21\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n                        },\n                        \"name\": \"querytext22\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query22\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext23\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query23\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab6\"\n            },\n            \"name\": \"tab6\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 9,\n                        \"content\": {\n                            \"version\": \"KqlParameterItem/1.0\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"parameters\": [\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query24Stats\",\n                                    \"type\": 1,\n                                    \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                                    \"crossComponentResources\": [\n                                        \"{Subscription}\"\n                                    ],\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 1,\n                                    \"resourceType\": \"microsoft.resourcegraph/resources\"\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Query24FullyCompliant\",\n                                    \"type\": 1,\n                                    \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query24Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"queryType\": 8\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab7Success\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query24Stats:$.Success}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab7Total\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"{Query24Stats:$.Total}\"\n                                            }\n                                        }\n                                    ]\n                                },\n                                {\n                                    \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                                    \"version\": \"KqlParameterItem/1.0\",\n                                    \"name\": \"Tab7Percent\",\n                                    \"type\": 1,\n                                    \"isHiddenWhenLocked\": true,\n                                    \"timeContext\": {\n                                        \"durationMs\": 86400000\n                                    },\n                                    \"criteriaData\": [\n                                        {\n                                            \"criteriaContext\": {\n                                                \"operator\": \"Default\",\n                                                \"resultValType\": \"expression\",\n                                                \"resultVal\": \"round(100*{Tab7Success}/{Tab7Total})\"\n                                            }\n                                        }\n                                    ]\n                                }\n                            ],\n                            \"style\": \"pills\",\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\"\n                        },\n                        \"name\": \"TabInvisibleParameters\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Virtual WAN\"\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"tab7title\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab7Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                            \"size\": 3,\n                            \"queryType\": 8,\n                            \"visualization\": \"tiles\",\n                            \"tileSettings\": {\n                                \"titleContent\": {\n                                    \"columnMatch\": \"Column1\",\n                                    \"formatter\": 4,\n                                    \"formatOptions\": {\n                                        \"min\": 0,\n                                        \"max\": 100,\n                                        \"palette\": \"redGreen\"\n                                    },\n                                    \"numberFormat\": {\n                                        \"unit\": 0,\n                                        \"options\": {\n                                            \"style\": \"decimal\"\n                                        }\n                                    }\n                                },\n                                \"subtitleContent\": {\n                                    \"columnMatch\": \"Column2\"\n                                },\n                                \"showBorder\": true\n                            }\n                        },\n                        \"customWidth\": \"50\",\n                        \"name\": \"TabPercentTile\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext24\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query24\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab7\"\n            },\n            \"name\": \"tab7\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"
diff --git a/workbooks/alz_checklist.en_network_workbook.json b/workbooks/alz_checklist.en_network_workbook.json
index 36cfa00e5..8c8378135 100644
--- a/workbooks/alz_checklist.en_network_workbook.json
+++ b/workbooks/alz_checklist.en_network_workbook.json
@@ -70,43 +70,43 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "232f353e-4c5b-419e-8880-d5517a8731a4",
+                        "id": "9c01133e-fafd-4c38-99df-8f4f41f7f8b8",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Hybrid",
+                        "linkLabel": "Segmentation",
                         "subTarget": "tab0",
-                        "preText": "Hybrid",
+                        "preText": "Segmentation",
                         "style": "primary"
                     },
                     {
-                        "id": "2a187620-a516-4737-9743-0d50e25979ea",
+                        "id": "6793ac66-288b-4caf-8154-e1e7fcc4a45f",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Segmentation",
+                        "linkLabel": "PaaS",
                         "subTarget": "tab1",
-                        "preText": "Segmentation",
+                        "preText": "PaaS",
                         "style": "primary"
                     },
                     {
-                        "id": "d40326a6-0cbf-4fe2-a10b-80e2b49672e0",
+                        "id": "5ae2a108-56bc-4c9f-8ad5-412608c2257a",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Hub and spoke",
+                        "linkLabel": "Internet",
                         "subTarget": "tab2",
-                        "preText": "Hub and spoke",
+                        "preText": "Internet",
                         "style": "primary"
                     },
                     {
-                        "id": "147e3e74-7ba4-43fd-b20c-6a3017a6c5d4",
+                        "id": "aabc5105-c3ff-45ff-88dd-c7b0b0f03472",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Virtual WAN",
+                        "linkLabel": "Hub and spoke",
                         "subTarget": "tab3",
-                        "preText": "Virtual WAN",
+                        "preText": "Hub and spoke",
                         "style": "primary"
                     },
                     {
-                        "id": "d169a24f-36e7-4c0d-970b-fcfa1db15dfb",
+                        "id": "1a657065-9be8-4a54-aa5a-a0fae34f641b",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
                         "linkLabel": "IP plan",
@@ -115,30 +115,30 @@
                         "style": "primary"
                     },
                     {
-                        "id": "292e545f-5e5c-47da-b1f1-4e3f5941d9cf",
+                        "id": "3af800ff-34ee-44d0-b40e-d182ea5c91e5",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Firewall",
+                        "linkLabel": "Virtual WAN",
                         "subTarget": "tab5",
-                        "preText": "Firewall",
+                        "preText": "Virtual WAN",
                         "style": "primary"
                     },
                     {
-                        "id": "b2a19984-9afd-4f18-a8bc-2fbace15c2c8",
+                        "id": "60fab3f8-1125-4e89-a901-64d6d3eefb7d",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "PaaS",
+                        "linkLabel": "Firewall",
                         "subTarget": "tab6",
-                        "preText": "PaaS",
+                        "preText": "Firewall",
                         "style": "primary"
                     },
                     {
-                        "id": "48514461-061f-4eb2-a463-4165897d0113",
+                        "id": "4d2438d4-c86a-430f-be74-4ce24e0fa947",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Internet",
+                        "linkLabel": "Hybrid",
                         "subTarget": "tab7",
-                        "preText": "Internet",
+                        "preText": "Hybrid",
                         "style": "primary"
                     }
                 ]
@@ -154,22 +154,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Hybrid"
+                            "json": "## Segmentation"
                         },
                         "name": "tab0title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
+                            "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information."
                         },
-                        "name": "querytext7"
+                        "name": "querytext19"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -218,20 +218,20 @@
                                 ]
                             }
                         },
-                        "name": "query7"
+                        "name": "query19"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information."
+                            "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information."
                         },
-                        "name": "querytext8"
+                        "name": "querytext21"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -280,20 +280,20 @@
                                 ]
                             }
                         },
-                        "name": "query8"
+                        "name": "query21"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information."
+                            "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information."
                         },
-                        "name": "querytext9"
+                        "name": "querytext22"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -342,20 +342,20 @@
                                 ]
                             }
                         },
-                        "name": "query9"
+                        "name": "query22"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
+                            "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this."
                         },
-                        "name": "querytext10"
+                        "name": "querytext23"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -404,20 +404,42 @@
                                 ]
                             }
                         },
-                        "name": "query10"
+                        "name": "query23"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab0"
+            },
+            "name": "tab0"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## PaaS"
+                        },
+                        "name": "tab1title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this."
+                            "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this."
                         },
-                        "name": "querytext11"
+                        "name": "querytext20"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -466,20 +488,42 @@
                                 ]
                             }
                         },
-                        "name": "query11"
+                        "name": "query20"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab1"
+            },
+            "name": "tab1"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Internet"
+                        },
+                        "name": "tab2title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
+                            "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information."
                         },
-                        "name": "querytext12"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -528,20 +572,42 @@
                                 ]
                             }
                         },
-                        "name": "query12"
+                        "name": "query6"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab2"
+            },
+            "name": "tab2"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Hub and spoke"
+                        },
+                        "name": "tab3title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information."
+                            "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information."
                         },
-                        "name": "querytext13"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -590,42 +656,20 @@
                                 ]
                             }
                         },
-                        "name": "query13"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab0"
-            },
-            "name": "tab0"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Segmentation"
-                        },
-                        "name": "tab1title"
+                        "name": "query0"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information."
+                            "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
                         },
-                        "name": "querytext19"
+                        "name": "querytext1"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -674,20 +718,20 @@
                                 ]
                             }
                         },
-                        "name": "query19"
+                        "name": "query1"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information."
+                            "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
                         },
-                        "name": "querytext21"
+                        "name": "querytext2"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -736,20 +780,20 @@
                                 ]
                             }
                         },
-                        "name": "query21"
+                        "name": "query2"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information."
+                            "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information."
                         },
-                        "name": "querytext22"
+                        "name": "querytext3"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -798,20 +842,42 @@
                                 ]
                             }
                         },
-                        "name": "query22"
+                        "name": "query3"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab3"
+            },
+            "name": "tab3"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## IP plan"
+                        },
+                        "name": "tab4title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this."
+                            "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext23"
+                        "name": "querytext4"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -860,42 +926,20 @@
                                 ]
                             }
                         },
-                        "name": "query23"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab1"
-            },
-            "name": "tab1"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Hub and spoke"
-                        },
-                        "name": "tab2title"
+                        "name": "query4"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information."
+                            "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext0"
+                        "name": "querytext5"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -944,20 +988,42 @@
                                 ]
                             }
                         },
-                        "name": "query0"
+                        "name": "query5"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab4"
+            },
+            "name": "tab4"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Virtual WAN"
+                        },
+                        "name": "tab5title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
+                            "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this."
                         },
-                        "name": "querytext1"
+                        "name": "querytext24"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1006,20 +1072,42 @@
                                 ]
                             }
                         },
-                        "name": "query1"
+                        "name": "query24"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab5"
+            },
+            "name": "tab5"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Firewall"
+                        },
+                        "name": "tab6title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information."
+                            "json": "Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information."
                         },
-                        "name": "querytext2"
+                        "name": "querytext14"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1068,20 +1156,20 @@
                                 ]
                             }
                         },
-                        "name": "query2"
+                        "name": "query14"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information."
+                            "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information."
                         },
-                        "name": "querytext3"
+                        "name": "querytext15"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1130,42 +1218,20 @@
                                 ]
                             }
                         },
-                        "name": "query3"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab2"
-            },
-            "name": "tab2"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Virtual WAN"
-                        },
-                        "name": "tab3title"
+                        "name": "query15"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this."
+                            "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information."
                         },
-                        "name": "querytext24"
+                        "name": "querytext16"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1214,42 +1280,20 @@
                                 ]
                             }
                         },
-                        "name": "query24"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab3"
-            },
-            "name": "tab3"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## IP plan"
-                        },
-                        "name": "tab4title"
+                        "name": "query16"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
+                            "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information."
                         },
-                        "name": "querytext4"
+                        "name": "querytext17"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1298,20 +1342,20 @@
                                 ]
                             }
                         },
-                        "name": "query4"
+                        "name": "query17"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this."
+                            "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information."
                         },
-                        "name": "querytext5"
+                        "name": "querytext18"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1360,16 +1404,16 @@
                                 ]
                             }
                         },
-                        "name": "query5"
+                        "name": "query18"
                     }
                 ]
             },
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab4"
+                "value": "tab6"
             },
-            "name": "tab4"
+            "name": "tab6"
         },
         {
             "type": 12,
@@ -1380,22 +1424,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Firewall"
+                            "json": "## Hybrid"
                         },
-                        "name": "tab5title"
+                        "name": "tab7title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information."
+                            "json": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
                         },
-                        "name": "querytext14"
+                        "name": "querytext7"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1444,20 +1488,20 @@
                                 ]
                             }
                         },
-                        "name": "query14"
+                        "name": "query7"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information."
+                            "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information."
                         },
-                        "name": "querytext15"
+                        "name": "querytext8"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1506,20 +1550,20 @@
                                 ]
                             }
                         },
-                        "name": "query15"
+                        "name": "query8"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information."
+                            "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information."
                         },
-                        "name": "querytext16"
+                        "name": "querytext9"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1568,20 +1612,20 @@
                                 ]
                             }
                         },
-                        "name": "query16"
+                        "name": "query9"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information."
+                            "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
                         },
-                        "name": "querytext17"
+                        "name": "querytext10"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1630,20 +1674,20 @@
                                 ]
                             }
                         },
-                        "name": "query17"
+                        "name": "query10"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information."
+                            "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this."
                         },
-                        "name": "querytext18"
+                        "name": "querytext11"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1692,42 +1736,20 @@
                                 ]
                             }
                         },
-                        "name": "query18"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab5"
-            },
-            "name": "tab5"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## PaaS"
-                        },
-                        "name": "tab6title"
+                        "name": "query11"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this."
+                            "json": "Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this."
                         },
-                        "name": "querytext20"
+                        "name": "querytext12"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1776,42 +1798,20 @@
                                 ]
                             }
                         },
-                        "name": "query20"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab6"
-            },
-            "name": "tab6"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Internet"
-                        },
-                        "name": "tab7title"
+                        "name": "query12"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information."
+                            "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information."
                         },
-                        "name": "querytext6"
+                        "name": "querytext13"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 0,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1860,7 +1860,7 @@
                                 ]
                             }
                         },
-                        "name": "query6"
+                        "name": "query13"
                     }
                 ]
             },
diff --git a/workbooks/alz_checklist.en_network_workbook_template.json b/workbooks/alz_checklist.en_network_workbook_template.json
index a0644d86d..5ea955d18 100644
--- a/workbooks/alz_checklist.en_network_workbook_template.json
+++ b/workbooks/alz_checklist.en_network_workbook_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"232f353e-4c5b-419e-8880-d5517a8731a4\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hybrid\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Hybrid\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"2a187620-a516-4737-9743-0d50e25979ea\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Segmentation\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Segmentation\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"d40326a6-0cbf-4fe2-a10b-80e2b49672e0\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hub and spoke\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Hub and spoke\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"147e3e74-7ba4-43fd-b20c-6a3017a6c5d4\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Virtual WAN\",\n                        \"subTarget\": \"tab3\",\n                        \"preText\": \"Virtual WAN\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"d169a24f-36e7-4c0d-970b-fcfa1db15dfb\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"IP plan\",\n                        \"subTarget\": \"tab4\",\n                        \"preText\": \"IP plan\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"292e545f-5e5c-47da-b1f1-4e3f5941d9cf\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Firewall\",\n                        \"subTarget\": \"tab5\",\n                        \"preText\": \"Firewall\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"b2a19984-9afd-4f18-a8bc-2fbace15c2c8\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"PaaS\",\n                        \"subTarget\": \"tab6\",\n                        \"preText\": \"PaaS\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"48514461-061f-4eb2-a463-4165897d0113\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Internet\",\n                        \"subTarget\": \"tab7\",\n                        \"preText\": \"Internet\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hybrid\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext12\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query12\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n                        },\n                        \"name\": \"querytext13\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query13\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Segmentation\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n                        },\n                        \"name\": \"querytext19\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query19\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n                        },\n                        \"name\": \"querytext21\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query21\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n                        },\n                        \"name\": \"querytext22\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query22\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext23\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query23\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hub and spoke\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Virtual WAN\"\n                        },\n                        \"name\": \"tab3title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext24\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query24\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab3\"\n            },\n            \"name\": \"tab3\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## IP plan\"\n                        },\n                        \"name\": \"tab4title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab4\"\n            },\n            \"name\": \"tab4\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Firewall\"\n                        },\n                        \"name\": \"tab5title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n                        },\n                        \"name\": \"querytext14\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query14\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n                        },\n                        \"name\": \"querytext15\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query15\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n                        },\n                        \"name\": \"querytext16\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query16\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n                        },\n                        \"name\": \"querytext17\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query17\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n                        },\n                        \"name\": \"querytext18\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query18\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab5\"\n            },\n            \"name\": \"tab5\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## PaaS\"\n                        },\n                        \"name\": \"tab6title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext20\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query20\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab6\"\n            },\n            \"name\": \"tab6\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Internet\"\n                        },\n                        \"name\": \"tab7title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab7\"\n            },\n            \"name\": \"tab7\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"9c01133e-fafd-4c38-99df-8f4f41f7f8b8\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Segmentation\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Segmentation\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"6793ac66-288b-4caf-8154-e1e7fcc4a45f\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"PaaS\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"PaaS\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"5ae2a108-56bc-4c9f-8ad5-412608c2257a\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Internet\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Internet\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"aabc5105-c3ff-45ff-88dd-c7b0b0f03472\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hub and spoke\",\n                        \"subTarget\": \"tab3\",\n                        \"preText\": \"Hub and spoke\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"1a657065-9be8-4a54-aa5a-a0fae34f641b\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"IP plan\",\n                        \"subTarget\": \"tab4\",\n                        \"preText\": \"IP plan\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"3af800ff-34ee-44d0-b40e-d182ea5c91e5\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Virtual WAN\",\n                        \"subTarget\": \"tab5\",\n                        \"preText\": \"Virtual WAN\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"60fab3f8-1125-4e89-a901-64d6d3eefb7d\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Firewall\",\n                        \"subTarget\": \"tab6\",\n                        \"preText\": \"Firewall\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"4d2438d4-c86a-430f-be74-4ce24e0fa947\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Hybrid\",\n                        \"subTarget\": \"tab7\",\n                        \"preText\": \"Hybrid\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Segmentation\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n                        },\n                        \"name\": \"querytext19\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query19\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n                        },\n                        \"name\": \"querytext21\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query21\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n                        },\n                        \"name\": \"querytext22\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query22\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits) for further information.. [This training](https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext23\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query23\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## PaaS\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext20\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query20\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Internet\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hub and spoke\"\n                        },\n                        \"name\": \"tab3title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Limit the number of routes per route table to 400. Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab3\"\n            },\n            \"name\": \"tab3\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## IP plan\"\n                        },\n                        \"name\": \"tab4title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)')  | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab4\"\n            },\n            \"name\": \"tab4\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Virtual WAN\"\n                        },\n                        \"name\": \"tab5title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/howto-firewall) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext24\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query24\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab5\"\n            },\n            \"name\": \"tab5\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Firewall\"\n                        },\n                        \"name\": \"tab6title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use application rules to filter outbound traffic on destination host name for supported protocols.  Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n                        },\n                        \"name\": \"querytext14\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query14\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure Firewall Premium to enable additional security features. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n                        },\n                        \"name\": \"querytext15\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query15\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules) for further information.\"\n                        },\n                        \"name\": \"querytext16\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query16\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n                        },\n                        \"name\": \"querytext17\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query17\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n                        },\n                        \"name\": \"querytext18\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query18\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab6\"\n            },\n            \"name\": \"tab6\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Hybrid\"\n                        },\n                        \"name\": \"tab7title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use ExpressRoute circuits from different peering locations for redundancy. Check [this link](https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext12\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query12\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n                        },\n                        \"name\": \"querytext13\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 0,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query13\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab7\"\n            },\n            \"name\": \"tab7\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"
diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook.json b/workbooks/appdelivery_checklist.en_network_counters_workbook.json
index b28ae85f8..004407903 100644
--- a/workbooks/appdelivery_checklist.en_network_counters_workbook.json
+++ b/workbooks/appdelivery_checklist.en_network_counters_workbook.json
@@ -413,7 +413,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}"
+                                    "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}"
                                 }
                             }
                         ]
@@ -432,7 +432,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}"
+                                    "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}"
                                 }
                             }
                         ]
@@ -470,7 +470,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}"
+                                    "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}"
                                 }
                             }
                         ]
@@ -489,7 +489,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}"
+                                    "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}"
                                 }
                             }
                         ]
@@ -527,7 +527,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}"
+                                    "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}"
                                 }
                             }
                         ]
@@ -546,7 +546,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}"
+                                    "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}"
                                 }
                             }
                         ]
@@ -584,7 +584,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}"
+                                    "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}"
                                 }
                             }
                         ]
@@ -603,7 +603,7 @@
                                 "criteriaContext": {
                                     "operator": "Default",
                                     "resultValType": "expression",
-                                    "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}"
+                                    "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}"
                                 }
                             }
                         ]
@@ -677,30 +677,30 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "ce0385d5-3492-4781-85f7-7285ad42908c",
+                        "id": "82ac2f54-6c1a-4d4a-bfa0-ade36224c47a",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Load Balancer ({Tab0Success:value}/{Tab0Total:value})",
+                        "linkLabel": "Front Door ({Tab0Success:value}/{Tab0Total:value})",
                         "subTarget": "tab0",
-                        "preText": "Load Balancer",
+                        "preText": "Front Door",
                         "style": "primary"
                     },
                     {
-                        "id": "6d15ce5a-5849-4d98-bfcd-ebd6bab12257",
+                        "id": "ab61b946-0586-4581-977f-398a4863718d",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Front Door ({Tab1Success:value}/{Tab1Total:value})",
+                        "linkLabel": "App Gateway ({Tab1Success:value}/{Tab1Total:value})",
                         "subTarget": "tab1",
-                        "preText": "Front Door",
+                        "preText": "App Gateway",
                         "style": "primary"
                     },
                     {
-                        "id": "bd04ea2f-fbfd-453d-9ad2-05f3ce74d94d",
+                        "id": "8363866e-037f-4546-bc4a-904c37832a98",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "App Gateway ({Tab2Success:value}/{Tab2Total:value})",
+                        "linkLabel": "Load Balancer ({Tab2Success:value}/{Tab2Total:value})",
                         "subTarget": "tab2",
-                        "preText": "App Gateway",
+                        "preText": "Load Balancer",
                         "style": "primary"
                     }
                 ]
@@ -716,22 +716,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Load Balancer"
+                            "json": "## Front Door"
                         },
                         "name": "tab0title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
+                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext1"
+                        "name": "querytext5"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -780,20 +780,20 @@
                                 ]
                             }
                         },
-                        "name": "query1"
+                        "name": "query5"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
+                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
                         },
-                        "name": "querytext8"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -842,42 +842,20 @@
                                 ]
                             }
                         },
-                        "name": "query8"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab0"
-            },
-            "name": "tab0"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Front Door"
-                        },
-                        "name": "tab1title"
+                        "name": "query6"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
                         },
-                        "name": "querytext5"
+                        "name": "querytext7"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -926,20 +904,20 @@
                                 ]
                             }
                         },
-                        "name": "query5"
+                        "name": "query7"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
+                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
                         },
-                        "name": "querytext6"
+                        "name": "querytext9"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -988,20 +966,42 @@
                                 ]
                             }
                         },
-                        "name": "query6"
+                        "name": "query9"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab0"
+            },
+            "name": "tab0"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## App Gateway"
+                        },
+                        "name": "tab1title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
+                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext7"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1050,20 +1050,20 @@
                                 ]
                             }
                         },
-                        "name": "query7"
+                        "name": "query0"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
+                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext9"
+                        "name": "querytext2"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1112,42 +1112,20 @@
                                 ]
                             }
                         },
-                        "name": "query9"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab1"
-            },
-            "name": "tab1"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## App Gateway"
-                        },
-                        "name": "tab2title"
+                        "name": "query2"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext0"
+                        "name": "querytext3"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1196,20 +1174,20 @@
                                 ]
                             }
                         },
-                        "name": "query0"
+                        "name": "query3"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext2"
+                        "name": "querytext4"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1258,20 +1236,20 @@
                                 ]
                             }
                         },
-                        "name": "query2"
+                        "name": "query4"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
                         },
-                        "name": "querytext3"
+                        "name": "querytext10"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1320,20 +1298,20 @@
                                 ]
                             }
                         },
-                        "name": "query3"
+                        "name": "query10"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext4"
+                        "name": "querytext11"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1382,20 +1360,42 @@
                                 ]
                             }
                         },
-                        "name": "query4"
+                        "name": "query11"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab1"
+            },
+            "name": "tab1"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Load Balancer"
+                        },
+                        "name": "tab2title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
+                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
                         },
-                        "name": "querytext10"
+                        "name": "querytext1"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1444,20 +1444,20 @@
                                 ]
                             }
                         },
-                        "name": "query10"
+                        "name": "query1"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
                         },
-                        "name": "querytext11"
+                        "name": "querytext8"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -1506,7 +1506,7 @@
                                 ]
                             }
                         },
-                        "name": "query11"
+                        "name": "query8"
                     }
                 ]
             },
diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json
index 4d07eeff2..96038e6c3 100644
--- a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json
+++ b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"crossComponentResources\": [\n                    \"value::all\"\n                ],\n                \"parameters\": [\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookTotal\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookSuccess\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookPercent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n                                }\n                            }\n                        ]\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 1,\n                \"resourceType\": \"microsoft.resourcegraph/resources\"\n            },\n            \"name\": \"InvisibleParameters\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 3,\n            \"content\": {\n                \"version\": \"KqlItem/1.0\",\n                \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                \"size\": 4,\n                \"queryType\": 8,\n                \"visualization\": \"tiles\",\n                \"tileSettings\": {\n                    \"titleContent\": {\n                        \"columnMatch\": \"WorkbookPercent\",\n                        \"formatter\": 4,\n                        \"formatOptions\": {\n                            \"min\": 0,\n                            \"max\": 100,\n                            \"palette\": \"redGreen\"\n                        }\n                    },\n                    \"subtitleContent\": {\n                        \"columnMatch\": \"SubTitle\",\n                        \"formatter\": 1\n                    },\n                    \"showBorder\": true\n                }\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"ProgressTile\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"ce0385d5-3492-4781-85f7-7285ad42908c\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer ({Tab0Success:value}/{Tab0Total:value})\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"6d15ce5a-5849-4d98-bfcd-ebd6bab12257\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door ({Tab1Success:value}/{Tab1Total:value})\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"bd04ea2f-fbfd-453d-9ad2-05f3ce74d94d\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway ({Tab2Success:value}/{Tab2Total:value})\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"crossComponentResources\": [\n                    \"value::all\"\n                ],\n                \"parameters\": [\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query0FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query1FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query2FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query3FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query4FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query5FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query6FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query7FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query8FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9Stats\",\n                        \"type\": 1,\n                        \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query9FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query10FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11Stats\",\n                        \"type\": 1,\n                        \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n                        \"crossComponentResources\": [\n                            \"{Subscription}\"\n                        ],\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 1,\n                        \"resourceType\": \"microsoft.resourcegraph/resources\"\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Query11FullyCompliant\",\n                        \"type\": 1,\n                        \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"queryType\": 8\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab0Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab1Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Success\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Total\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Tab2Percent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookTotal\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookSuccess\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n                                }\n                            }\n                        ]\n                    },\n                    {\n                        \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"WorkbookPercent\",\n                        \"type\": 1,\n                        \"isHiddenWhenLocked\": true,\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"criteriaData\": [\n                            {\n                                \"criteriaContext\": {\n                                    \"operator\": \"Default\",\n                                    \"resultValType\": \"expression\",\n                                    \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n                                }\n                            }\n                        ]\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 1,\n                \"resourceType\": \"microsoft.resourcegraph/resources\"\n            },\n            \"name\": \"InvisibleParameters\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 3,\n            \"content\": {\n                \"version\": \"KqlItem/1.0\",\n                \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n                \"size\": 4,\n                \"queryType\": 8,\n                \"visualization\": \"tiles\",\n                \"tileSettings\": {\n                    \"titleContent\": {\n                        \"columnMatch\": \"WorkbookPercent\",\n                        \"formatter\": 4,\n                        \"formatOptions\": {\n                            \"min\": 0,\n                            \"max\": 100,\n                            \"palette\": \"redGreen\"\n                        }\n                    },\n                    \"subtitleContent\": {\n                        \"columnMatch\": \"SubTitle\",\n                        \"formatter\": 1\n                    },\n                    \"showBorder\": true\n                }\n            },\n            \"customWidth\": \"50\",\n            \"name\": \"ProgressTile\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"82ac2f54-6c1a-4d4a-bfa0-ade36224c47a\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door ({Tab0Success:value}/{Tab0Total:value})\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"ab61b946-0586-4581-977f-398a4863718d\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway ({Tab1Success:value}/{Tab1Total:value})\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"8363866e-037f-4546-bc4a-904c37832a98\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer ({Tab2Success:value}/{Tab2Total:value})\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"
diff --git a/workbooks/appdelivery_checklist.en_network_workbook.json b/workbooks/appdelivery_checklist.en_network_workbook.json
index 93b895e06..b4ac0b29d 100644
--- a/workbooks/appdelivery_checklist.en_network_workbook.json
+++ b/workbooks/appdelivery_checklist.en_network_workbook.json
@@ -70,30 +70,30 @@
                 "style": "tabs",
                 "links": [
                     {
-                        "id": "e39bec07-cd51-4252-b6f1-cb1e46b128f8",
+                        "id": "2e2ea355-93b1-4743-ad7e-8402645e68b4",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Front Door",
+                        "linkLabel": "App Gateway",
                         "subTarget": "tab0",
-                        "preText": "Front Door",
+                        "preText": "App Gateway",
                         "style": "primary"
                     },
                     {
-                        "id": "e75b826b-3fa7-4de8-a121-aa384c9fec60",
+                        "id": "451e2e6a-f381-496f-b099-9e81b169da58",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "Load Balancer",
+                        "linkLabel": "Front Door",
                         "subTarget": "tab1",
-                        "preText": "Load Balancer",
+                        "preText": "Front Door",
                         "style": "primary"
                     },
                     {
-                        "id": "afbcc605-4c1b-4b1a-a4bb-f797b5063a95",
+                        "id": "f9d5f7b4-0f81-4725-8d8f-d8239cd632d9",
                         "cellValue": "VisibleTab",
                         "linkTarget": "parameter",
-                        "linkLabel": "App Gateway",
+                        "linkLabel": "Load Balancer",
                         "subTarget": "tab2",
-                        "preText": "App Gateway",
+                        "preText": "Load Balancer",
                         "style": "primary"
                     }
                 ]
@@ -109,22 +109,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## Front Door"
+                            "json": "## App Gateway"
                         },
                         "name": "tab0title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext5"
+                        "name": "querytext0"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -173,20 +173,20 @@
                                 ]
                             }
                         },
-                        "name": "query5"
+                        "name": "query0"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
+                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext6"
+                        "name": "querytext2"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -235,20 +235,20 @@
                                 ]
                             }
                         },
-                        "name": "query6"
+                        "name": "query2"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
+                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext7"
+                        "name": "querytext3"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -297,20 +297,20 @@
                                 ]
                             }
                         },
-                        "name": "query7"
+                        "name": "query3"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
+                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
                         },
-                        "name": "querytext9"
+                        "name": "querytext4"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -359,42 +359,20 @@
                                 ]
                             }
                         },
-                        "name": "query9"
-                    }
-                ]
-            },
-            "conditionalVisibility": {
-                "parameterName": "VisibleTab",
-                "comparison": "isEqualTo",
-                "value": "tab0"
-            },
-            "name": "tab0"
-        },
-        {
-            "type": 12,
-            "content": {
-                "version": "NotebookGroup/1.0",
-                "groupType": "editable",
-                "items": [
-                    {
-                        "type": 1,
-                        "content": {
-                            "json": "## Load Balancer"
-                        },
-                        "name": "tab1title"
+                        "name": "query4"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
+                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
                         },
-                        "name": "querytext1"
+                        "name": "querytext10"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -443,20 +421,20 @@
                                 ]
                             }
                         },
-                        "name": "query1"
+                        "name": "query10"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
+                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext8"
+                        "name": "querytext11"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -505,16 +483,16 @@
                                 ]
                             }
                         },
-                        "name": "query8"
+                        "name": "query11"
                     }
                 ]
             },
             "conditionalVisibility": {
                 "parameterName": "VisibleTab",
                 "comparison": "isEqualTo",
-                "value": "tab1"
+                "value": "tab0"
             },
-            "name": "tab1"
+            "name": "tab0"
         },
         {
             "type": 12,
@@ -525,22 +503,22 @@
                     {
                         "type": 1,
                         "content": {
-                            "json": "## App Gateway"
+                            "json": "## Front Door"
                         },
-                        "name": "tab2title"
+                        "name": "tab1title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
                         },
-                        "name": "querytext0"
+                        "name": "querytext5"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -589,20 +567,20 @@
                                 ]
                             }
                         },
-                        "name": "query0"
+                        "name": "query5"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information."
                         },
-                        "name": "querytext2"
+                        "name": "querytext6"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -651,20 +629,20 @@
                                 ]
                             }
                         },
-                        "name": "query2"
+                        "name": "query6"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information."
                         },
-                        "name": "querytext3"
+                        "name": "querytext7"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -713,20 +691,20 @@
                                 ]
                             }
                         },
-                        "name": "query3"
+                        "name": "query7"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this."
+                            "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information."
                         },
-                        "name": "querytext4"
+                        "name": "querytext9"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -775,20 +753,42 @@
                                 ]
                             }
                         },
-                        "name": "query4"
+                        "name": "query9"
+                    }
+                ]
+            },
+            "conditionalVisibility": {
+                "parameterName": "VisibleTab",
+                "comparison": "isEqualTo",
+                "value": "tab1"
+            },
+            "name": "tab1"
+        },
+        {
+            "type": 12,
+            "content": {
+                "version": "NotebookGroup/1.0",
+                "groupType": "editable",
+                "items": [
+                    {
+                        "type": 1,
+                        "content": {
+                            "json": "## Load Balancer"
+                        },
+                        "name": "tab2title"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information."
+                            "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information."
                         },
-                        "name": "querytext10"
+                        "name": "querytext1"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -837,20 +837,20 @@
                                 ]
                             }
                         },
-                        "name": "query10"
+                        "name": "query1"
                     },
                     {
                         "type": 1,
                         "content": {
-                            "json": "Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information."
+                            "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information."
                         },
-                        "name": "querytext11"
+                        "name": "querytext8"
                     },
                     {
                         "type": 3,
                         "content": {
                             "version": "KqlItem/1.0",
-                            "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
+                            "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed",
                             "size": 4,
                             "queryType": 1,
                             "resourceType": "microsoft.resourcegraph/resources",
@@ -899,7 +899,7 @@
                                 ]
                             }
                         },
-                        "name": "query11"
+                        "name": "query8"
                     }
                 ]
             },
diff --git a/workbooks/appdelivery_checklist.en_network_workbook_template.json b/workbooks/appdelivery_checklist.en_network_workbook_template.json
index 152457236..ceeb91d8f 100644
--- a/workbooks/appdelivery_checklist.en_network_workbook_template.json
+++ b/workbooks/appdelivery_checklist.en_network_workbook_template.json
@@ -41,7 +41,7 @@
             "dependsOn": [],
             "properties": {
                 "displayName": "[parameters('workbookDisplayName')]",
-                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"e39bec07-cd51-4252-b6f1-cb1e46b128f8\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"e75b826b-3fa7-4de8-a121-aa384c9fec60\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"afbcc605-4c1b-4b1a-a4bb-f797b5063a95\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
+                "serializedData": "{\n    \"version\": \"Notebook/1.0\",\n    \"items\": [\n        {\n            \"type\": 9,\n            \"content\": {\n                \"version\": \"KqlParameterItem/1.0\",\n                \"parameters\": [\n                    {\n                        \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"Subscription\",\n                        \"type\": 6,\n                        \"multiSelect\": true,\n                        \"quote\": \"'\",\n                        \"delimiter\": \",\",\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [\n                                \"value::all\"\n                            ],\n                            \"includeAll\": true,\n                            \"showDefault\": false\n                        },\n                        \"timeContext\": {\n                            \"durationMs\": 86400000\n                        },\n                        \"value\": [\n                            \"value::all\"\n                        ]\n                    },\n                    {\n                        \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n                        \"version\": \"KqlParameterItem/1.0\",\n                        \"name\": \"OnlyFailed\",\n                        \"label\": \"Only show failed\",\n                        \"type\": 2,\n                        \"typeSettings\": {\n                            \"additionalResourceOptions\": [],\n                            \"showDefault\": false\n                        },\n                        \"jsonData\": \"[\\r\\n    { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n    { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n                    }\n                ],\n                \"style\": \"pills\",\n                \"queryType\": 0,\n                \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n            },\n            \"name\": \"WorkbookSelectors\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n                \"style\": \"info\"\n            },\n            \"name\": \"InfoBox\"\n        },\n        {\n            \"type\": 1,\n            \"content\": {\n                \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n            },\n            \"customWidth\": \"100\",\n            \"name\": \"MarkdownHeader\"\n        },\n        {\n            \"type\": 11,\n            \"content\": {\n                \"version\": \"LinkItem/1.0\",\n                \"style\": \"tabs\",\n                \"links\": [\n                    {\n                        \"id\": \"2e2ea355-93b1-4743-ad7e-8402645e68b4\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"App Gateway\",\n                        \"subTarget\": \"tab0\",\n                        \"preText\": \"App Gateway\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"451e2e6a-f381-496f-b099-9e81b169da58\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Front Door\",\n                        \"subTarget\": \"tab1\",\n                        \"preText\": \"Front Door\",\n                        \"style\": \"primary\"\n                    },\n                    {\n                        \"id\": \"f9d5f7b4-0f81-4725-8d8f-d8239cd632d9\",\n                        \"cellValue\": \"VisibleTab\",\n                        \"linkTarget\": \"parameter\",\n                        \"linkLabel\": \"Load Balancer\",\n                        \"subTarget\": \"tab2\",\n                        \"preText\": \"Load Balancer\",\n                        \"style\": \"primary\"\n                    }\n                ]\n            },\n            \"name\": \"Tabs\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## App Gateway\"\n                        },\n                        \"name\": \"tab0title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext0\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query0\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext2\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query2\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext3\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query3\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n                        },\n                        \"name\": \"querytext4\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query4\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection) for further information.\"\n                        },\n                        \"name\": \"querytext10\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query10\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Application Gateway in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext11\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query11\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab0\"\n            },\n            \"name\": \"tab0\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Front Door\"\n                        },\n                        \"name\": \"tab1title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Deploy your WAF policy for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n                        },\n                        \"name\": \"querytext5\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query5\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n                        },\n                        \"name\": \"querytext6\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query6\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n                        },\n                        \"name\": \"querytext7\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query7\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n                        },\n                        \"name\": \"querytext9\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query9\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab1\"\n            },\n            \"name\": \"tab1\"\n        },\n        {\n            \"type\": 12,\n            \"content\": {\n                \"version\": \"NotebookGroup/1.0\",\n                \"groupType\": \"editable\",\n                \"items\": [\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"## Load Balancer\"\n                        },\n                        \"name\": \"tab2title\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n                        },\n                        \"name\": \"querytext1\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query1\"\n                    },\n                    {\n                        \"type\": 1,\n                        \"content\": {\n                            \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n                        },\n                        \"name\": \"querytext8\"\n                    },\n                    {\n                        \"type\": 3,\n                        \"content\": {\n                            \"version\": \"KqlItem/1.0\",\n                            \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n                            \"size\": 4,\n                            \"queryType\": 1,\n                            \"resourceType\": \"microsoft.resourcegraph/resources\",\n                            \"crossComponentResources\": [\n                                \"{Subscription}\"\n                            ],\n                            \"gridSettings\": {\n                                \"formatters\": [\n                                    {\n                                        \"columnMatch\": \"id\",\n                                        \"formatter\": 0,\n                                        \"numberFormat\": {\n                                            \"unit\": 0,\n                                            \"options\": {\n                                                \"style\": \"decimal\"\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"columnMatch\": \"compliant\",\n                                        \"formatter\": 18,\n                                        \"formatOptions\": {\n                                            \"thresholdsOptions\": \"icons\",\n                                            \"thresholdsGrid\": [\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"1\",\n                                                    \"representation\": \"success\",\n                                                    \"text\": \"Success\"\n                                                },\n                                                {\n                                                    \"operator\": \"==\",\n                                                    \"thresholdValue\": \"0\",\n                                                    \"representation\": \"failed\",\n                                                    \"text\": \"Failed\"\n                                                },\n                                                {\n                                                    \"operator\": \"Default\",\n                                                    \"thresholdValue\": null,\n                                                    \"representation\": \"unknown\",\n                                                    \"text\": \"Unknown\"\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            }\n                        },\n                        \"name\": \"query8\"\n                    }\n                ]\n            },\n            \"conditionalVisibility\": {\n                \"parameterName\": \"VisibleTab\",\n                \"comparison\": \"isEqualTo\",\n                \"value\": \"tab2\"\n            },\n            \"name\": \"tab2\"\n        }\n    ],\n    \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}",
                 "version": "1.0",
                 "sourceId": "[parameters('workbookSourceId')]",
                 "category": "[parameters('workbookType')]"